Competitive Intelligence / Competitive Strategy, by Arik Johnson
by Arik Johnson

Risky Business
Unifying the Management of Converging Knowledge Sources Makes Good Business Sense; yet, the Fact Remains that Firms' Compliance with New Information Sharing Policies or Legal and Regulatory Requirements While Minimizing the Risk of Leaking Proprietary or Secret Information can often Make Competitors Cheer

Have you ever noticed how much simpler it is to find out about publicly traded companies than it is to discover operational data for private companies? As someone who plies his trade measuring the performance and business strategies of business rivals, believe you me... we are presented with distinctly different views of firms engaged in very similar businesses depending on whether they're public or private.

The task of keeping such strategically sensitive information secret from existing or potential competitors is the reason many of the most influential companies in their respective industrial sectors -- from SAS Institute to S.C. Johnson -- remain privately owned. When the need to IPO in order to raise capital (and your company's profile) is secondary to the desire to maintain confidentiality of otherwise secret or proprietary information -- such as inventory turnover, cash flow, gross profitability, annual financial results, changes in business strategy or even patent applications -- a firm might choose to forego the risks associated with public reporting. Public reporting is done, in large part, due to the need to comply with the financial and shareholder governance community made necessary by regulators such as the Securities and Exchange Commission as a consequence of protecting the investment and shareholder community from "unusual" accounting and business practices.

But do the risks of revealing strategic or tactical business plans to competitors outweigh the benefits of being traded on a public stock exchange? Are there other information "leakages" within the scope and scale of the modern business enterprise that are just as likely, some perhaps more so, to reveal that very same, or even more sensitive, proprietary information in a new infrastructure where information sources are converging towards knowledge management systems designed to make it ever easier to capture what a firm knows, apply those knowledge assets again later on and understand how the firm succeeds or fails in the marketplace?

Traditionally, competitive intelligence has been associated with a sister discipline, known as competitive counter intelligence, that tries to prevent disclosure of key competitive data to a world populated by rivals and other threats with a vendetta against the company. Unfortunately, the practice of counter CI has not been a unified effort. For example, there are myriad other contact points both internal and external to the company where leakage occurs; while, simultaneously, the protection of information assets has been very disparately charged to the various guardians of knowledge. Here are just a few areas that you'll probably recognize in your own organization -- public relations, investor relations, the company Web development team, corporate security, intellectual property and licensing, the security and user authentication & management functions within information services, customer service, vendors and suppliers, contract employees, and any user on your network who has even "sticky-noted" a password to the side of his or her monitor. This appallingly confused situation seems to beg the need for a unified security function in today's environment of accelerated knowledge delivery systems; however, centralization of control can be as much a liability as it is an asset.

Consider the case of General Motors' Opel division in Europe which, following the sudden flight by GM's purchasing "czar" to Volkswagen, discovered he and his lieutenants had made off with critical purchasing and negotiating information regarding GM's component suppliers. After it became apparent that the "midnight file run" made by said executive, VW's Ferdinand Peich eventually settled the matter out of court with GM/Opel for the whopping sum of US$100 Million!

I'm also reminded of a story told to me by a colleague at another CI firm about a certain Fortune 100 electronics company whose northern Europe-based head of corporate security tried to sell the European marketing plan for the upcoming year, which he'd recently stolen from the company intranet and emailed the offer to sell to my colleague. What was he thinking, you might ask? The answer becomes far clearer when we consider he'd just failed a drug test and was on deck for disciplinary action, so he decided to cut his losses and resign, but not before he'd tried to secure a little "knowledge capital" of his own (FYI, the guy's in a Norwegian prison today). The centralized approach clearly failed in this case, even though they caught the man involved (who was, incidentally, an American, which I only point out so as not to sound discriminatory towards our European readers).

The legal and ethical implications of soliciting company secrets are significant. In 1996, President Clinton signed into law the Economic Espionage Act which established the most severe criminal penalties the U.S. has ever known for acquiring trade secrets or other proprietary information from American companies. While the law has been exercised in a number of recent actions, surprisingly between American companies, its original intent was to protect U.S. firms against foreign attempts to acquire proprietary competitor data. It should also be noted, that, a Code of Ethics was adopted several years ago by the pre-eminent professional society (SCIP) for business researchers, consisting of a seven point guideline for its association members to help benchmark themselves against the ethically questionable "gray zone" of competitor research. But, laws and guidelines are only as good as the people subject to them. How can corporations be proactive in safeguarding the knowledge enterprise while making knowledge free to be shared?

The fact is, most sensitive information doesn't get leaked by financial reporting to the SEC or corporate "spies" hired to infiltrate the company. In fact, publicly traded companies usually compete most fiercely against other publicly traded companies and, therefore, there is no knowledge gap between these rivals in terms of what they know about each other or the marketplace -- we must remember, competitive intelligence is most influential when this "knowledge gap" exists, where a particular firm is privy to some knowledge its competitors have either failed to uncover, ignored or dismissed as irrelevant. Simply knowing what is available to everyone else is really the minimum a firm must do to stay abreast; and shame on any company that doesn't monitor relevant published information -- that's the easy part.

Most of the risk involved with corporate knowledge is inherent in the knowledge workers themselves -- the simple fact that someday, they will certainly leave the organization and all the knowledge they've created or investments made by the firm in teaching them will, in the end, be lost. The real question is, how to make sure that this most costly tacit knowledge is captured and can be applied after the knowledge creator has left the firm, while minimizing the chance that the departing person will depart with company information in tow which can end up in the hands of one's competitors or other threats? Companies have always struggled with how to include transient employees -- which includes all of us, by my definition -- in the knowledge work of the firm while protecting the knowledge that they've acquired. The solution may lie in the unique mixture of knowledge protection that most firms have developed through their unique experience, rather than as a factor of a best practices or benchmarking analysis -- experience may be the best teach, but you can take an awful beating at the "School-of-Hard-Knocks".

In the absence of an enforceable non-compete/non-disclosure agreement (stress the word "enforceable"), there is nothing stopping the ex-employee from taking all one can carry in terms of proprietary information. Non-compete and non-disclosure agreements are notoriously troublesome to enforce -- in any firm without a legal department or advisor overseeing the signature process, such agreements are usually burdened by unreasonably long terms of duration, which means the former employee can sue for and likely win the right to work in an industry in which they've invested their professional careers. Likewise, while the Economic Espionage Act of 1996 provides for punitive retribution as a disincentive to APPLYING dubious information, it does so only when a link can be established to misappropriated information showing up in another organization -- like the research scientist that goes to work for a competitor and six months later applies for a patent for technology bearing a striking resemblance to that of his former employer. A quick digression for a CI tip is appropriate here -- while U.S. patent applications are confidential until their assignment usually two to four years later, patent apps in Europe are public documents and available for search and retrieval. This fact alone points up the complexity of the issue of compliance and risk within a unified knowledge enterprise -- the process of protecting one's intellectual property may lead a firm seeking global IP protection to undoubtedly reveal much of its strategic business plan to anyone willing to perform a comprehensive search.

Before ethics were a major question in American business, using subterfuge to "spy" on competitors was less of an issue. My father once described his interview experience for a major furniture manufacturer with whom he was seeking a sales job early in his career (i.e. the 1950's). After a quick screening process, he learned, they weren't interviewing for their own salespeople -- they were interviewing for candidates that could get hired as salespeople by their competitors! The ultimate goal here is pretty obvious -- insertion of a "plant" or in spy-talk, a "mole" in the competitor to funnel any "useful" information back to the company. Incidentally, even though he'd always wondered what that would've been like, he admitted that he'd asked for the exit when he found out what he was actually going to be selling. So, here's your wake-up call. While most of such practices are much less explicitly employed, I can give you an ironclad guarantee that, if you employ more than about a dozen people, you are certainly at risk of not only external competitive intelligence, but also for internal "corporate espionage".

Of course, you might be the target of a "professional" - whether they've been hired by the company for an audit or by a competitor with meaner priorities on its agenda than being ethically upright. Ira Winkler, a former analyst with the National Security Agency, contends that American companies lose billions of dollars each year through preventable information leaks. In his 1997 book, Corporate Espionage, he shows how much of it is pilfered by unremarkable efforts -- looking at memos, sifting through trash, peeking on desktops, or simply asking for it -- and provides some advice to stop it. He writes not just about what is happening to U.S. firms, he writes about what he has done to U.S. firms. Winkler investigates industrial espionage at major corporations, often testing company defenses by trying, usually successfully, to penetrate them.

The core of the book is a disguised case study, showing how Winkler was able to penetrate a corporation's computer network and records system. In that process, he used many common, ethical and legal CI techniques to supplement or support the illicit ones. For example, he reviewed the target's annual report, press releases and even a company directory, before making any contact with the target. The goal was to learn about the target's general organizational structure and environment, as well as to identify his own hit list of development projects, with the names of employees working on them. After reviewing these sources, he moved quickly to scanning Internet user groups and current magazine and newspaper articles. The results? He quickly came up with a list of the target's top six IS development projects, the names of several employees associated with one key project; the office locations of these employees; and a good idea about the target firm's technical vulnerabilities. From here, Winkler moved into his "black" operations, using such tactics as: printing fake business cards which identified him as an employee with the firm's corporate security office; hacking into company computers using passwords freely given to him by duped employees; copying highly confidential files carelessly left on executive desks after hours and re-programming the company's terminal servers to allow him undetected off-site access. In three days, Winkler captured 250 megabytes of data while onsite, leaving 1,000 megabytes of "potentially useful data because I ran out of storage space" and totally compromised 28 of the company's top development programs. The value of the data to the target was estimated at over US$ 1 Billion! Now, you know you've got a problem when the biggest problem the penetration expert encounters is running out of storage for all the information they've just stolen from you.

In early October, I attended a CI conference where I chatted with the heads of competitive technical intelligence, one for a major facilities management and building components conglomerate and the other with a large telecom products company. Both women mentioned the fact that, "anything that goes on the company intranet is 'gone' -- consider it already in the hands of your competitors" -- merely because it's available to everyone who can get access to the intranet. The same can be said of the corporate Web site, they continued -- where anything and everything labeled as "content" can find a home as long as it's new and different than what appeared there a month earlier - "and damn the fact that they might not want anyone else to understand certain of those matters". "So", I asked naively, "how do you make sure sensitive information doesn't get out?" The stereophonic reply was "don't let anyone find about it in the first place!" This may be the best and only answer. As we struggle to unify knowledge sources and verify the authenticity of personnel using them through the deployment of increasingly complex passwords, passphrases and biometric technology, I'd lobby that we inject a bit more of the business process and this tougher brand of leadership decision-making into the technology-driven world of KM. I've met many knowledge managers who've merely decided that a certain morsel of company knowledge just shouldn't be shared with anyone else in the organization - the potential for compromise just isn't worth it. Who decides and based on what criteria? In the end, my opinion remains that, while organizations must comply with those policies that require disclosure, they must, always, consider the consequences of inadvertent misappropriation of sensitive information shared with others, even and especially in your own organization. It very well could end up in the wrong hands.

Arik R. Johnson is Managing Director of the Competitive Intelligence (CI) outsourcing & support bureau Aurora WDC. Learn more about Arik at his firm's Web site