Just what is competition? If you're doing anything successfully, you can bet that someone is watching how you do it. What does it mean if whoever is watching is a part of your competition? This would be a good time to call on Mr.Webster for a little more detail.
Com-pe-ti-tion 1: the act or process of competing: RIVALRY 2: a contest between rivals 3: the effort of two or more parties acting independently to secure the business of a third party by offering the most favorable terms.
That doesn't exactly sound like anything friendly does it? Competition is serious business for both sides. Your survival in the next millennium may entirely depend on your ability to know what your competition is up to, and at the same time preventing them from knowing what you are up to. Do both well, and you might avoid the Mother of All Disasters from visiting your company.
Again, I'll refer to Webster's Dictionary definition to get us all thinking along the same lines.
In-tel-li-gence1.the skilled use of reason 2. the ability to apply knowledge to manipulate one's environment 3. the act of understanding 4. information concerning an enemy
Again, good stuff, but not necessarily the most friendly of definitions especially the part about "information concerning an enemy". What do we get when we combine these two definitions into one thought? "Competitive Intelligence", and the reason for the rest of my article.
For more than 30 years now, I have been very involved with physical security, computer security and disaster recovery in one form or another. Not until I was asked by a friend of mine to review a soon to be published book on competitive intelligence did I realize how much all three of those areas of concern directly relate to the counterintelligence piece of competitive intelligence. We'll address counterintelligence a little later in the article. For now, let me share with you what I learned while reviewing the manuscript for "The WarRoom Guide To Competitive Intelligence" by Stephen M. Shaker and Mark Gembicki of WarRoom Research. www.warroomresearch.com
Before reading this excellent book, I didn't know what Competitive Intelligence really meant. Was this just another name for industrial espionage, and is it even legal? Needless to say, I learned a lot, and I highly recommend that you take the time to learn it as well. It could help save your business as we enter a very competitive third millennium filled with competitors who wouldn't mind seeing a "For Sale" sign in front of your business.
I was amazed to learn about how much good competitive information is available to anyone who wants to take the time to look for it. It's available in company promotional literature, trade publications, newspaper articles, executive briefings, conferences, public records, casual conversations at after work parties and now there is an unbelievable amount of it on that final frontier - the mighty World Wide Web. All of this is completely open and legal to try to get your hands on. You don't need to do any stealing, wiretapping, physically breaking into buildings or any of the other things that add up to espionage. Most of the good stuff is still 'low hanging fruit' ready to be picked.
Here's a good example that many of you who have attended one of my Computer Security workshops or breakout session at a DRJ conference (Dwayne says to say Hi!) should remember. I show a slide that asks the question "Who did you have lunch with yesterday?" I then explain that when I am going to a meeting in a large building, I will frequently go to the public cafeteria in that building and have lunch. I don't usually know anyone, so I simply look for a table that appears to have four to six people engaged in conversation over lunch. If possible, I'll sit at a table near them and eat (while I listen). Some of the things discussed in a public cafeteria should have been discussed only in a secured corporate board room. "Loose Lips Sink Companies!"
I wasn't targeting anyone, but what if I was? Would I have committed a crime? No! All that I did was to have lunch in a public cafeteria. (The food wasn't that great, but the conversation was.) I could have gained some very valuable Competitive Intelligence on any of the companies whose employees were openly discussing company proprietary information in an unsecured area. Somebody needs some training.
Two kinds of training are very important and are well described in Shaker and Gembicki's book. The first is training in establishing your own Competitive Intelligence (CI) team, and the second is training company employees on how to avoid giving away the store to the other guy?s CI team. (That's Counterintelligence training which I believe that EVERY employee needs to have.)
The majority of "The WarRoom Guide To Competitive Intelligence" is devoted to helping you to establish your own CI team. To be successful, the kind of planning and training described in the book is essential. There is even a complete chapter devoted to building your own "War Room".
One look at the global business world today will show you that we as a country are way behind the rest of the world in having CI teams in every company. Most of the statistics that I could find stated that less than 10 percent of all American companies have formal CI teams. What about the really big companies who probably became big by being smart? A recent ABCNEWS.com report seen on the Internet stated that "A full 82 percent of companies with annual revenues of more than $10 billion now have an organized intelligence unit, according to a 1997 survey by The Futures Group, a competitive intelligence consultant."
The other countries with whom we compete are counting on the fact that your company might not have a CI team, and that you may be unaware that they do. They have come to like the 'easy pickings' in all of their CI (and possibly espionage) efforts.
Even if you haven't started developing your Competitive Intelligence (CI) Team, you still need to have a good counter intelligence plan. This is one of the main things that you should do to defend your company and all of its physical, technical and intellectual property from prying eyes. If there are other CI teams out there trying to get to your valuable information (and there probably are), than the very least that you should do is to try to stop them.
Employee awareness training is one of the most effective and least expensive countermeasures that you can employ in your counter intelligence plan. Let me give you a quick example. Most of you probably heard of 'war game dialing' as a means of trying to find unsecured modems connected to computers. (The term came from the movie "War Games" way back in 1984.) A bad-guy runs a program that dials a prescribed group of phone numbers looking for the sounds that a modem makes when his modem finds another one. There is a pretty good chance that the modem that his program finds is connected to a computer. It could be one of yours. While searching for numbers connected to computers, his program rings the phones on a lot of desks that are not connected to computers. It could be your desk. I've answered the phone before and heard a modem on the other end. It could be someone who reversed my fax number and my phone number in their database, or it could be someone trying to break in. So, how can you tell?
It's not easy to ever be sure, but I saw the value of company wide employee awareness during a recent 'war game dialing' attack on a company that we had trained about 6 months earlier. During the one hour training class, we demonstrate the sounds that a modem makes, and what it sounds like if you pick up the phone and listen to it. It is then suggested that if you hear that sound, simply let your immediate supervisor know that it happened. Then forget about it unless it happens again. The important thing is that more than one person knows that it happened. If you kept it to yourself, you would continue about your business and simply assume that it was a wrong number. Even if your company is being targeted with a 'war game dialer', the dialer will never ring your desk phone again because it has been flagged by the dialing program as a number not connected to a modem.
Sure enough, about 6 months later this company was hit and one supervisor told us that five of his people had come to him that afternoon stating that they had picked up their phone and heard a modem. Individually, they would have never paid attention to the single call that came to their desk. Collectively, they had caught someone in the act of 'war game dialing' into their phone bank and possibly into their computers. At that point, they knew to alert the system administrator to insure that no penetration had taken place in the computer room. Just a little employee awareness can save your company!
This has been just one tiny example of counter intelligence, safeguards, countermeasures, risks, threats and all of the other things that you need to think of to avoid being a victim. Start TODAY!
That list could fill the rest of this magazine. I've said it many times lately, but I'll say it again. We are at a time and place where everything that is important to just about every company, large and small, resides on some computer database somewhere. Use your imagination and try to think of anything that isn't controlled by a computer today. If I can get to that computer and steal it, copy it, turn it off, corrupt it, blow it up, get a virus into it, dial into it or even get the data off of it after you sell it, I've gotcha! Again use your imagination to decide what kind of a disaster that would cause.
In my entire adult life, I have been personally involved with exactly two (small) disasters. One was a fire in our computer room, and the other was a water main break in the same computer room a few years later. Both caused some minor damage, and the fire let us all go outside for a few minutes, but that was it during 25+ years of working in that building.
It's not the same with today's technical disasters. They're usually not as physically spectacular, but they sure do make for some interesting headlines, and gray hair for those of us who have to react to them. Don't let your competition become an even bigger nightmare than the rest of the disasters that your company tries to prepare for. A disaster of this type may be your last!
These are the companies and associations that I went to for information while writing this article. They can help you as well. Contact them and get involved.
WarRoom Research www.warroomresearch.com
Society of Competitive Intelligence Professionals(SCIP) www.scip.org
American Society for Industrial Security(ASIS) www.asisonline.org
Operations Security Professionals Society (OPSEC) www.opsec.org
Mr. Wiles is the Senior instructor and co-developer of the BTAC Training Course. His association memberships include the International Association of Bomb Technicians & Investigators (IABTI) & the Contingency Planning Association of the Carolinas (CPAC). He can be reached at jwiles@oltronics.net.
