Competitive intelligence versus industrial espionage

Every organization should be aware of the types of techniques competitors use to gather intelligence on their business or operations.  It sometimes catches you by surprise to learn of the types of activity your competitors engage in.  A friend of mine once interviewed at one of the Big Four accounting firms (PwC, KPMG, E&Y, Deloitte.) The person she interviewed with was ex-agency (CIA, NSA, FBI). The questions she had to answer were very telling: reported last week that he believes he has found such an attempt registered out of China.  

1.    You are sitting on an airplane next to a consultant from a competing organization. He has his laptop open and is working on a proposal. Do you lean back and read that proposal?

2.    The airline passenger gets up to go to the bathroom, leaving a folder of documents on his seat. Do you leaf through it?

3.    You find some key documents in a hotel lobby relating to a competitor’s bid on the same project you are working on. Do you keep the documents or turn them in to the hotel unread?

Yes, large companies do employ people who are charged with gathering this type of information.  There are some great tools online for gathering competitive intelligence.  Knowing what Google keywords your competitor is purchasing as well as what their total spend is can be useful.  Page rank, Alexa data, banner ad programs are useful as well.

While some of this data cannot be hidden from snooping competitors there are some precautions you should be taking.  

1.    Make sure that you have no “unpublished” pages on your website. Directories such as /stage, /temp, /index2, /new, are easily discoverable.

2.    Configure your email servers so they do not bounce emails sent to unknown users.  Legitimate emails can be discovered by a lack of response from a brute force emailing to all combinations of first name – last name.

3.    Check regularly for registrations of domain names that are simple misspellings of your primary domain.

This last point is an interesting one.  Say an attacker is hoping to harvest interesting documents sent to your organization. Purchase orders, invoices, reports from your accountants, etc.?   They can register a domain that is a common misspelling of yours and collect any emails accidently sent to it.  A researcher at Symantec

There may be a fine line between competitive intelligence gathering and industrial espionage. In my mind, information that is in the public domain is legit for CI while internal documents are not.  You should protect yourself from the gathering of both types of intelligence.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2008 IDG Communications, Inc.

IT Salary Survey: The results are in