When bankrupt Exodus Communications Inc. began asset acquisition proceedings with London-based Cable & Wireless PLC in February, Exodus’ chief security officer arrived at the first meeting carrying a 700-page dossier on Cable & Wireless. All of this information was gathered from open sources on the Internet.
“I was able to put together Cable & Wireless’ service, personnel, structure, revenues, customer base and much more,” says Bill Hancock, Exodus’ chief security officer. “[Cable & Wireless executives] were stunned that I knew so much about them, but I do this type of research all the time on prospective clients.”
Chances are, bits and pieces of your company’s intellectual property are floating around cyberspace. A corporate Web site is a virtual gold mine for competitive intelligence gatherers. Also, partner and vendor links can provide clues to product development plans. Job postings can tip off regional expansion plans. And employees can leak strategic information on discussion boards and chat groups.
“Corporate Web sites contain a tremendous amount of information about corporate strategies, plans and personnel,” says Richard Hunter, vice-president of security research at Gartner Inc. in Stamford, Conn.
For the most part, businesses haven’t caught on to the ubiquity of Internet-posted material, nor have they developed policies to manage this information, says Eduard L. Telders, security manager at Pemco Financial Services in Seattle. Because of the Internet, he adds, “there’s been a virtual explosion of competitive intelligence” available for digital detectives to gather.
For example, instead of searching through databases and analyst reports, a good competitive intelligence investigator can easily find product development information by seeing who’s linking to your site. Sometimes, those links lead right back to supplier testimonials that offer way too much information about your business.
“In some cases, you’ll see descriptions and case studies about how they redesigned your plant stuff you’d be shocked to read,” says John Jay McGonagle, co-author of seven books on competitive intelligence and managing partner of The Helicon Group in Blandon, Pa.
While competitive intelligence still requires good old-fashioned gumshoe work, the Internet now provides the best jumping-off point, according to McGonagle and other experts. And in some cases, the Internet can yield the bulk of information needed to influence competitive strategies.
To highlight the many ways the Internet makes information-gathering easier and to offer IT professionals steps they can take to better protect corporate data, McGonagle offers the following case studies from his work with real clients during the past two years. Corporate identities have been omitted for confidentiality reasons.
The Phantom Web Site
A financial services firm (Bank A) heard that a competitor (Bank B) might be entering Bank A’s unique employee benefits market niche. Bank A’s CEO, who heard that Bank B’s code name for the project was Modern Garden, was especially concerned because Bank A had recently lost two employees from its employee benefits branch to Bank B.
Bank A hired McGonagle to investigate the situation.
He first searched Bank B’s Web page and found nothing. So he went to the Marina Del Rey, Calif.-based Internet Corporation for Assigned Names and Numbers’ Web site at www.internic.com, and typed in “Modern Garden.” Moderngarden.org and moderngarden.net were available for sale. Moderngarden.com was not available for sale, meaning it was already taken.
But, interestingly, Moderngarden.com didn’t show up as an existing Internic address either, meaning search engines wouldn’t be able to locate it. “It’s important to look at what’s missing,” his partner told him and typed “Moderngarden.com” into a browser. Up popped a Web page with Bank B’s logo on it.
The secret page had a wealth of information: the new project statement, positioning, launch date, marketing channels along with the names and phone numbers of those working on the new offering. Two of those workers were the former Bank A employees.
Lessons learned: This information helped Bank A prepare for the oncoming assault from its competitor, says McGonagle. Those testing the Web site shouldn’t have used the corporate logo. Nor should they have put that site on the public Web until its formal launch, McGonagle says. If it was crucial to test the page on the World Wide Web, then Bank B should have assigned it space that doesn’t carry the Web address and instead should have asked administrators to reach it directly through an IP address.
The Rogue R