In today's business environment, the rules of the game change everyday.
As one adage states, "Nothing changes the table manners as fast as a smaller pie." And, the once almost laissez faire medical products industry is definitely considering the pie's size in today's market. One outcome of such pressure is the redal and perceived need to focus more on what competitors are doing. In my experience, once companies have proved the value of CI efforts and have seen just what information they can obtain about their competition, they then logically ask, "Now that we're getting this about them, what's to prevent them from getting the same kinds of things about us?"
CI is a branch of information research that is focused on the competition. It uses many creative and eclectic information-collection methods and sources. Though you may think CI practitioners are limited to megacompetitors' examinations of each other, nothing is further from the truth. Drawn directly from our company's experience in recent years, we know that CI is not only important for large businesses but also small ones. It's especially important for smaller companies from a defensive standpoint.
COMPETITIVE INTELLIGENCE AND COUNTERMEASURES - JUST OUR EXPERIENCE
As Table 1 depicts, 65 percent of the collection assignments we undertake are on behalf of large firms and of that portion of the collection work, small and medium businesses are the targets in 72 percent of the cases. This is driven by two principal factors.
First, big firms know quite a bit about their peers and have a fair picture of what they're doing and how they're doing it.
Second, small and medium businesses represent the incubators in most markets. Because one of the primary purposes of CI is "surprise avoidance," large firms are always interested in identifying the next blockbuster: Who's the guy working in his garage on a product that will have a significant impact on our business base?
| Company Size | CI Collection | Target Protection | Anti-CI | Opponent |
| Large (>$60M) | 65% | L = 28% M = 41 S = 31 |
25% | L = 82% M = 11 S = 07 |
| Medium ($20M - $60M) | 26% | L = 40% M = 50 S = 10 |
43% | L = 28% M = 41 S = 31 |
| Small ($500k - $20M) | 9% | L = 62% M = 15 S = 23 |
32% | L = 71% M = 27 S = 02 |
| Table 1: Patterns of Competitive Intelligence Targets by Size of Company | ||||
|---|---|---|---|---|
On the flip side, Table 1 also shows that when small and medium sized businesses have hired us, 75% of the time it's for countermeasures or protection work. Such countermeasures work derives directly from a company's concern that they have been the victims of another firm's collection measures.
In far too many cases, the firm has not done what it should have done to protect itself; it's not taken those measures consistent with the threat environment. Most judges rule that if a company doesn't consider the information valuable enough to protect themselves, it's not the law's responsibility to help compensate them for their losses. Legal redress for CI losses is rarely available. The most a company can do, once the horse is out of the barn is make sure that they don't lose any more horses.
And that's where the countermeasures come in. Just for comparison, CI's evil twin cousins, Industrial Espionage and Economic Espionage, are illegal and prosecutable under the law; their practitioners know what they are doing is illegal and methose to accomplish ends can become extreme.
The CI process is usually successful because of a few simple, underlying principles:
- People are willing to provide information about your firm for a variety of reasons, ranging from a simple desire to be helpful to the meanspiritedness of a disgruntled employee.
- Competitive Intelligence professionals recognize that wherever money changes hands, so does information. By following the trails of commercial activity, people inside and outside your firm can become great, if unwitting, sources.
- In more than 70% of the cases where we call people at companies to collect information, they give it to us even after we've told them exactly who we are and that we can't disclose the name of our client because of confidentiality agreements.;
- In many of the more "scientifically open" industries, which includes the medical industry, researchers who've spent their lives developing products are often much more open in discussing their work in the interest of the advancement of science.
- Many security organizations have a "gates and guards, guns and dogs" security orientation, which is rarely an impediment to those who use the intelligence process.
Most CI practitioners perform their craft using an organized process, rooted in most cases in what is termed the national security model of intelligence. In the United States, it's called the intelligence cycle; in other countries it's viewed as a linear process. But whichever way it's viewed, it's the result of tried and true principles that have been developed over centuries, with little real variation. The typical intelligence organization operates on a model we call the Business Intelligence Collection Model (BICM)(SM) as shown in Figure 1.
Because intelligence collection is a formal and structured process, it's only reasonable that the countermeasures to such a process have to be the same. This doesn't mean a checklist or a series of forms that gather dust in a filing cabinet once they're filled out. It means that the protection measures have to be just as imaginative, just as organized, just as aggressive and analytical as the collection efforts of the rival firm.
The Business Intelligence Protection Model (BIPM)(SM) shown in Figure 2 helps to give some form and function to the protection process. It's also circular, although the arrows go in a different direction. After you've seen how the process works in a case example, you'll see why.
CASE STUDY -
DOLLOP V. BEASLEY
Let's use a medical industry case where we've changed the real client name to Dollop Industries. Dollop, an American firm, had suffered the loss of information that allowed an international competitor, Beasley Medical Devices, to get to market with roughly the same product, slightly before our client got there. Not wanting to be a victim again, the client asked us to attack them as if we were working for Beasley, using techniques that we knew Beasley would probably use. So, in this project, we employed the defensive BIPM(SM) to help Dollop protect itself from future compromises.
Step 1: Tasking
The BIPM(SM) clearly depicts an organized counterintelligence approach. At the top of the process, gaining clear and specific tasking about what to protect is just as critical as clear and specific tasking about what to collect. No CI professional accepts such an open-ended assignment from a client's or firm's leadership to "go out and get me everything you can on XYZ Company." Similarly, no counterintelligence practitioner accepts an assignment to "protect everything." As the model suggests, the first order of business is to help identify what Dollop Industries wants to protect generally, which we then refine.
Step 2: Defining Requirements
At this point, the counterintelligence professional is interested in refining what needs to be protected, for how long, and from whom. To be successful, the requirements definition depends on breaking those sensitive plans, strategies, or projects down into individual components, those critical ingredients or elements that the CI professional is after.
In essence, Dollop Industries wanted to ensure that their newest product wILL get to market without Beasley being able to identify it early enough to develop a competing product. Our protection taskers included:
- What is the new product line?
- When will it would come to market?
- How much of an investment is Dollop putting into the product?
- What is the pricing strategy?
- In which quantities and through which distribution channels will it reach the customer?
- Who are some of the strategic partners on the project?
- What is the project code name?
- What is the anticipated market size of the new product?
Step 3: Assessing the Rival's Intelligence Capabilities
Efforts now focus on assessing the capabilities, sources and methods of Beasley's CI practitioners. This is a combination of getting to know, and allow, Beasley's CI people to talk about how they did their job together with an analysis of hypotheses that could account for the previous loss.
Once there is a well-developed understanding of how Beasley collected against Dollop, the next step was to try to emulate Beasley's behavior. While we knew that Beasley had many SCIP members in its CI unit, we knew that it also sometimes engaged in activities that were right up to the edge in terms of legality and ethics: not unlike an increasing number of companies as competition increases. Essentially, we made certain that the threat environment was a realistic one before we ever tried to help the client protect anything.
We knew, for example, that Beasley's CI unit:
- Routinely followed all the Help Wanted advertising in their industry to see if any trends could be spotted or early indicators of new efforts could be identified.
- Were very much involved in trash archeology, or as some would term it, dumpster diving.
- Spent time gettinginformation from various on-line sources.
These contacts led to people with the kind of information which Beasley wanted.
Step 4: Analyzing Vulnerabilities
Next comes a realistic test of the firm's vulnerability to the collection methods. Quite often there IS some information sharing with the security department as a result of other types of losses, investigations and reports from line employees when they fielded unusual or suspicious questions from someone outside the firm.
It's at this point that we can see perhaps most clearly the difference between security and counterintelligence. The traditional security approach would close the vulnerability as if it were a hole in a fence; counterintelligence would seek to find what opportunities these vulnerabilities present.
Step 5: Developing Countermeasures
To test for opportunities, we might put certain typess and classes of information purposely at risk with the specific intention of allowing the rival firm to draw erroneous conclusions about where the firm is headed. This leads directly to the identification of what vulnerabilities the rivals' CI collectors and analysts have which may be exploitable.
Developing countermeasures is perhaps the most interesting and intellectually stimulating of all the aspects of the counterintelligence process. It not only helps to protect what needs to be protected, it also serves as a means to change the value and character of the information being collected by the firm's rival.
This has been variously referred to as everything from deception to misinformation, with perhaps the best treatment of the topic drawing its title from Winston Churchill's famous quote, "In wartime, truth is so precious that she must always be attended by a bodyguard of lies." Dollop could cause Beasley to make decisions based on incorrect information, in turn making it uncertain about the reliability of the intelligence it's paying for.
Deception in this context is a purely defensive tactic. The only targets are those who are actively, and sometimes illicitly, engaged in collecting information about your firm. Essentially, this becomes the intelligence world's version of caveat emptor.
Step 6: Analyzing and Disseminating
Analyzing and disseminating collected information are continuous processes, as depicted in Figure 1. As more information is uncovered, more analyzing and disseminating must be performed, which eventually repeats the process.
UNCOVERING DOLLOP'S SECRETS
With this framework in mind, we attacked our client, Dollop, using several strategies. In the interest of space, however, we'll only deal here with two of those areas: people and waste archeology.
People
Upon reviewing the company's hiring patterns over the previous 18 months, we determined that Dollop was adding competencies in a specific discipline where it had not been operating before. In looking at some of the industry literature, we saw that there was a core group of seven individuals who, in interchangeable teams of two or three at a time, had been collaborating since university days.
Some remained in academia while the others went off to industry. Then we noticed that this group of co-authors had not published for nearly three years. We found that all seven had moved near the target firm. They were not listed, however, in the company's telephone book, which suggested an off-site research lab. Two of the group were listed in the city telephone books, however, and one of our associates observed one of them as he left his residence and drove to work.
It was easy to observe where they went for lunch and to pre-position one of our agents in the restaurant in order to overhear the inevitable work-related discussions.
We also collected the license plate numbers of the cars in the parking lot and obtained the owner's names and home addresses. Certain types of pretext telephone calls to the employee's homes, depending on whether we got the employee or a family member, yielded information about each employee's level of education and the type of work being performed.
Once this kind of information was gathered, other pretext interviews, this time posing as executive recruiters with fairly lucrative job opportunities, were conducted at the employee's offices. Of course the interviews didn't by discussing exactly what the employee was doing in his present job, but considerable detail about the work being performed was pieced together through this process.
We also found the identity of the executive search firm that Dollop was using to add qualified personnel develop the new product line. With the cognizance of Dollop's security organization, we created a completely false persona for one of our operatives who contacted the search firm as a likely candidate for a position at Dollop, which led to a series of interviews.
Of course, the operative was asked to sign a non-disclosure agreement as the interview process progressed toward an offer which he singed with no more intention of honoring it than if he had been a real person in the Beasley's employ. Suffice it to say that at the end of the process, Dollop significantly increased its requirement for screening prospective employees prior to any site visits.
Newt Gingrich has no cell-phone problems compared to some folks in New York and Chicago. As Gordon Gecko wannages walk the streets of those cities with cell phones at the ear, chances are very good that one of a few so-called security firms has been compromising their calls. These firms pull unencrypted data by locking onto cellular data calls and then producing magnetic records for their clients. One such compnay recently claimed that a client, a New York bank, spent more than $200,000 in the prior six months on such collection.
Waste Archeology
The adage "One man's trash is another man's treasure," is as true in today's business environment as ever. And although many people believe that trash enjoys certain constitutional protections, which is true in certain states, constitutionality is not an issue for non-government trash divers. Indeed, the courts have found for commercial trash divers in that trash placed out for collection constitutes abandonment; therefore the use of information found in such trash is not illegal.
In this instance when our operatives dove in the dumpsters at Dollop's R&D facility, they found a terrific amount of information, even some documents with "Company Sensitive" and "Company Confidential" markings. Some were torn in half and some were torn into quarters, which posed no problem in reconstruction. Conversely, it made it easier to identify the important documents from the general trash since only seemingly important documents were torn.
Other documents were just tossed out because they appeared to be misfed, slightly off-centered photocopies of sensitive originals. This is not unusual. We have found that the waste baskets near photocopiers are some of the most lucrative of all repositories: extra copies, copies that are not quite clear enough for the boss, copies that need to be enlarged, or even copies of view graphs that were copied backwards. Apparently, if it's not pretty enough to be used, then it couldn't possibly be of any use to anyone else.
Even though Dollop had purchased a shredding machine through which all sensitive information was to pass prior to hitting the trash cans, people tend to underestimate the value of the information they deal with each day and fail to shred comprehensively, speaking for broader use of this technology and training. It was from this kind of trash that we pieced together, sometimes literally, the information that was provided to one of our technical associates, who analyzed the project and identified the overall program almost precisely. We collected six pages of budget figures ranging from prototype development to overall project costs.
Dumpster diving paid off in another way by identifying the research company that was hired to perform the test marketing. Now at first blush, that may not seem to be much more exploitable than knowing who the search firm was. Yet as we went further down the trail, we were able to place one of our operatives into the focus group population for a first-hand look at the product in prototype form.
Exploiting patterns in test marketing is nothing new in the medical and pharmaceutical field. Indeed, many remember that it was through Bristol-Myers' test marketing of the pain reliever Datril that Johnson & Johnson found out about the Datril price-penetration strategy against Tylenol. Bristol-Myers' pattern of using Peoria, Illinois and Albany, New York as test markets gave Johnson & Johnson the advantage they needed to squash the Datril introduction.
SO WHAT?
What does all this mean? This excercise showed Dollop's leadership where it was vulnerable not to some extraordinary, James Bond-type approaches, but rather to some garden variety CI approaches.
It also provides some insight into how the rules of the game change as more and more aggressive measures are being taken everyday across a variety of industries. The more competitive the industry, the more dollars that are at stake in product development and testing due to liability and other issues. The more performance-based pressures that senior management feels, the more aggressive its efforts acquire competitive information.
Does it just mean that there aren't any business secrets left? No. It just means that if your firm and its people have no clue about the changes in the environment and the realistic threats in today's business world, they're not adequately prepared to safeguard the truly important information: information on which the future of the company and their jobs depend.
Does it mean that if someone wants to get sensitive or proprietary information that they're going to get it no matter what efforts are taken to protect it? Not necessarily. But if Dollop had not undertaken this friendly self-penetration, they would have continued to lose horses. With an understanding of how they were at risk, Dollop's leadership could begin to train its people and take straightforward measures to protect the company and fulfill obligations to the shareholders.
About the author: John A. Nolan, III CPP, OCP is Chairman and Managing Director of Phoenix Consulting Group, which provides competitive intelligence, counterintelligence and professional development/training programs across a variety of industries. He is also a co-founder of The Centre for Operational Business Intelligence in Sarasota, FL where corporate intelligence practitioners from around the country and the world learn the tools and techniques necessary to prevail in the marketplace. His newest book, “CONFIDENTIAL”:Uncover Your Competitor's Top Secrets Legally and Quickly - And Protect Your Own was released by HarperCollins Business Books in June 1999. He is frequently featured in national and international media such as Forbes, George, Times of London and CNN, to name just a few. He can be reached at jnolan@intellpros.com, or at 1.800.440.1724.
