printer friendly version

Corporate counterintelligence - protecting business information

The purpose of this article is to provide a brief understanding of what counterintelligence is; its role in the corporate environment and how it supports management to protect business secrets and intellectual property.

Corporate counterintelligence is the reverse form of business espionage and business intelligence. It could also be described as the `other side of the intelligence coin' and its main purpose is to protect business information.

In 1981 H.E. Rowan wrote in Protective Security (A South African Approach) that "Few people believe that industrial espionage really exists and those who believe in its existence do not appear to know enough about the subject to be able to define the essential elements. Where industrial espionage is taking place, protection and assurance are lacking..."

It appears that since then not many in management have realised that the threat is real, nor have they been able to understand what should be protected, and why. Many companies still employ outdated measures that do not address the threats against business information.

Regular headlines about industrial espionage, business intelligence and information theft indicate that the adequate protection of proprietary information has since become a worldwide problem.

It is also not restricted to one specific industry. Examples of incidents can be found in the academic, agricultural, communications, defence related, fibre optics, financial, food, pharmaceutical, software, stationary and tobacco industries.

As recently as March 2003, various local newspapers and magazines reported on the alleged spying incidents in the Gauteng business circles. Peter Honey writing for the Financial Mail magazine (21 March 2003) wrote that "The Gulf War has broken out in Gauteng as some of the country's most visible businessmen go undercover to fight their corporate battles."

Companies have always gathered intelligence. Whether it was the simple act of looking at a competitor's pricing in a catalogue or listening to potential customers' views about a company's competitors, intelligence gathering in business is nothing new.

Many companies now go to great lengths to obtain information about their competitors. They can make use of legal/ethical, unethical or illegal information-gathering techniques or a combination to gather business secrets. Companies' do not all abide by an ethics code and many misrepresent them or break laws to get information about their competitors.

Counterintelligence and the protection of information are business decisions. Corporate executives will have to take responsibility and should no longer be satisfied with outdated advice from security companies and managers still clinging to traditional protection approaches.

Many executives are still unaware that their security measures will not always protect their confidential information. Cameras, guards, gates, fences, etc, are easily manipulated by those practising business intelligence and corporate espionage.

The need for counterintelligence

Much has changed in the business world since Rowan expressed his concerns about the preparedness of our companies to counter the business intelligence threat in its various guises. Many companies have ceased to exist, others had to change their operations, find new markets, modernise or had to expand to be competitive and efficient. We are taking part again in the global economy and have many international and new competitors.

Worldwide, companies are becoming more and more dependent on good intelligence (analysed information) regarding their competitors, environment, suppliers, products and even their customers to stay competitive.

"...the old cliché 'Knowledge is power' is an understatement. Knowledge is the lifeblood that perpetuates the existence of your organisation and if utilised properly, could level your competition to shambles" (Helms, Ettkin & Morris - Information Management & Computer Security - March 2000).

The original concept of security, still practised by many companies, cannot protect against attacks against information. Most in the traditional security profession are only accustomed to dealing with the physical aspects of security and property and find it difficult to make the leap into the new knowledge and information-based world.

Security policies also do not always make provision or take into account the scope of existing and modern day protection requirements, ie, determining what sort of information resides in a company that would be worthwhile to a competitor.

A company that has strict standards of physical security can be devastated by a 'penetration agent', a staff member working for a competitor.

"The actual fight requires a change of philosophy. Twentieth-century security doctrine, held a static conception for protection. 'Hunker down' behind defences of locks, fences, guards and alarm systems, was the prime directive. But in a world of portable information with the Internet, laptops, pocket PCs and cellular devices, the traditional security perimeter becomes an illusion" (R.L. Mendell - Security Management - April 2003).

Most of the time the security departments are not to blame as they are increasingly being given more responsibilities, but unfortunately the budget, training, equipment and professional development are not keeping pace with modern day requirements.

Computer security professionals again operate in an environment where security controls are invisible, unobtrusive deterrents. Unfortunately the protection of modern organisations and businesses involves more than installing appropriate technologies, buying the right insurance policies, protecting data networks and guarding critical infrastructure.

It requires the integration of the organisation's security, computer security and information protection with corporate strategy. Appropriate protection standards have to become an integral part of an organisation's business strategy.

Complacency, carelessness and poor security practices all contribute to how confidential information is lost. What others know about a company can make or break that company's ability to compete in the future. The protection of proprietary information is also much more than physical, computer or data security.

Intellectual property and confidential information are the areas usually neglected by management as well as security managers. They do not really concern themselves with loose lips, discarded documents, trade shows, friendships, the press, opportunists and disgruntled former staff.

Intellectual property (trade secrets, patents, formulas and processes, pricing strategies, industry sources, client and customer information) are becoming more and more critical to maintaining a competitive edge. Confidential information again concerns the infrastructure, personnel records, internal communications, agreements, supplier agreements, reports, work procedures, research, etc.

"Indications are that economic espionage, including trade secret thefts and competitive business information/intelligence gathering, will intensify and be more aggressively pursued in the new millennium" (P.F. Kalitka - Periscope - March 2000).

What is counterintelligence?

The most basic objective of business counterintelligence is to protect information from those who are not authorised to receive it, to counter potential threats and of course to enhance security.

It should not only protect against aggressive and illegal information gathering (espionage) but also against open and legal collection efforts that can harm a company and affect its ability to compete in its market.

It will spot the danger signals, prevent illegal activities such as electronic eavesdropping, carefully control critical information that a company publishes about itself and protect those areas vulnerable to business and competitive intelligence efforts by making it difficult for competitors to collect information.

Counterintelligence has both passive and active components. Passive counterintelligence aims to prevent what an adversary may do and comprises defensive and preventative countermeasures such as awareness briefings, technical surveillance countermeasures, defensive programmes and penetration testing.

Active counterintelligence differs from passive counterintelligence. Once the threat or hostile entity has been detected and identified, active counterintelligence will investigate and conduct operations to eliminate any ongoing or threatening action. When employed actively it is also a collection process. To be able to counter what an adversary may do companies need reliable and good information about competitors' intentions, capabilities, budget and resources to conduct intelligence and collection operations.

Possible indicators of intelligence operations taking place

1. Competitors knowing about projects, confidential business, trade secrets and strategy.

2. Various enquiries made by strangers such as students, researchers, and others about company secrets and projects.

3. Repair technicians showing up to do work when no one has called them.

4. Regularly losing to the same competitor(s) with very small margins in tenders and business contracts.

5. Electronic bugging and surveillance devices discovered on business premises.

6. Constant unusual requests for information or for permission to visit company premises or facilities.

7. Key staff leaving to go and work for competitors.

8. Confidential material, information and equipment such as laptops being stolen under suspicious circumstances.

9. Competitors launching products looking very similar to existing products/designs.

10. Staff reporting surveillance, recruitment attempts or suspicious enquiries and behaviour.

11. Competitors establishing competitive intelligence or marketing intelligence units.

12. Competitors hiring a number of analysts or starting new divisions dealing with corporate strategy, industry and competitive analysis.

Employing counterintelligence

Unless the security division in a company possesses a deep understanding of their own company's business, objectives, strategies and plans and know the company's competitors (intentions and capabilities) they will not be able to counter the information collection efforts and the threats.

The first step is to determine what information has to be protected, for how long and from whom. There is not much that a company can do once a guarded secret is stolen. In this regard the old saying prevention is better than cure, is especially true.

The next step is to educate all employees through awareness briefings to make them aware of the value of corporate information. Companies spend millions on firewalls, access control and other security barriers, but few invest in counterintelligence awareness training for their staff. The best security systems will be useless if personnel are ignorant about the tactics and modus operandi employed to steal business secrets.

Protective programmes have to be employed which includes watching your own company's surroundings and activities to see who else is watching and involved. Include third parties in the surveys and counterintelligence audits. Over time vendors and suppliers can develop stronger bonds with competitors.

If all avenues to a company and its personnel have been successfully cut off the industrial spy will turn to technology. Regular technical surveillance countermeasures (TSCM) surveys will reveal electronic and technology attacks. Technical surveillance countermeasures are counterintelligence activities and refer to a set of measures employed to identify and to investigate hostile technical devices planted by an adversary for collection purposes. It is largely directed at the protection of information but will often reveal physical and other security problems, lack of education and can help to assess the vulnerabilities of sensitive facilities.

The elements of protection change as business operations change. Counterintelligence is a critical task and cannot be suitably accomplished as an additional duty. It has to extend across all organisational levels. The skills and technology required is different than those for the protection of people, buildings, etc.

"Counterintelligence properly understood, aims to engage and neutralise competitors collection efforts through a variety of imaginative, flexible and active measures (J.A. Nolan - Phoenix Consulting Group).

Conclusion

Companies and security managers should be alert at all times where no formal counterintelligence structure exists within a company. Private intelligence is a growing industry in South Africa and the world. There is no such thing as a coincidence. One of the basic premises of counterintelligence is that coincidences do not just happen. The moment that a company starts to recognise too many 'coincidences' it might be too late. Counterintelligence programmes should be in place to recognise the indicators that industrial espionage and intelligence operations could be affecting a company.

To admit the need for business counterintelligence is to concede that current security and protection measures are and have been, inadequate. Many also feel that the threats that are countered by counterintelligence do not exist in South Africa and that only the big companies, government and the defence industry is targeted. The truth is that many small companies are targeted because of the total lack of any security or countermeasures.

To remain competitive, companies need to allocate resources for the protection of information and counterintelligence. By implementing counterintelligence as part of its business strategy, management will strengthen its company's overall competitive position in the market place.

ABOUT THE AUTHOR:

Steve Whitehead specialises in corporate counterintelligence matters and regularly writes and speaks on the subject. His articles have appeared in a number of local and international publications. He is a member of international bodies such as the Espionage Research Institute (ERI), Business Espionage Controls & Countermeasures Association (BECCA), American Society of Industrial Security (ASIS), the Society of Competitive Intelligence Professionals (SCIP) and local associations such as the South African Institute of Security (SAIS), Countermeasures Association of SA (CASA) and the South African Association of Competitive Intelligence Professionals. (SAACIP) He is involved with two South African companies, TSCM Services and CBIA. Both companies are leaders in their respective fields and focus exclusively on intelligence and counterintelligence matters in the corporate sector. Before joining the corporate sector in the early 1990s he served as a senior government counterintelligence specialist. He can be contacted on 012 664 3157.

Share this article:

Further reading: