Why industrial espionage is getting easier thanks to Business Intelligence Software!

Brand Killer Robots reveal::

I was invited to a presentation once by one of the worlds leading experts in the development of business intelligence tools, otherwise described as the technology and practice of applying information to make decisions. I learned quite rightly that in order for information to be usable, it must be trusted, timely, relevant, easy-to-use, and in context. I learned that executive dashboards could be used to put information in context, and in an easy-to-understand format.

I learned that different tools share the same answers to the same questions, gain more value from your information investment, and make better decisions.

It was truly the answer to the totally "information empowered"enterprise, where the personnel had the answers at their fingertips and the executives could spin problem models around in every which way and paint pictures on the data points and set traffic light indicators where numbers went above and below the pre-set threshold.

One of the people presenting was a young man from a blue-chip insurance company. His job was to tell a story to the audience, from a customers perspective about how the company he represented had maximised the return on investment(ROI), from implementing these tools across about 40 different locations across the world.

He had prepared an excellent presentation and even showed us how it was possible to slice and dice a high level data cube, whilst connected via the Internet, using a wireless laptop connection. In fact he got so carried away that he spent over an hour taking questions on the numerous features that were available in the analytical software. Essentially he was showing us a high level snapshot of underwriting performance data, categorised by Broker, Product and Sales Location.

Once he had finished he asked the audience if they had any questions. It seemed appropriate to stand up, as the previous questioners had done before. Bear in mind that there were about 200 other people in the room, most of whom were from the banking and insurance industry.

"Yes", he said, "what is your question?". I felt myself getting ready to sit back down again, in shame of the question i was about to ask. But i decided to stay standing given i had been invited to share my opinion as a security consultant - and i just couldn't help myself but to ask...

"Well", i said, "is it ok to ask a question on the security aspects of your presentation?"

To which he replied.. "yes of course".

"Well", i said "Why is the Loss Ratio at 95% on your Label V Taxi insurance product, when i know for a fact that a motor insurance underwriter not that far away is flying at around 70%?" I said, "don't you guys know how to run a motor insurance business?".

To which there was a gasp, a series of muffled chuckles, an uncomfortable silence (which seemed to take an age to revive), followed by a rather hurried end to the proceedings.

My point was of course less to do with showing them how stupid they were by using live data in a presentation to competitors and more to do with the dangers of using BI software. By dragging and dropping a few dimensions over a fairly simple data cube, it is possible to gain access to data that in the past would have been locked behind green character based screens, in the bosses head - or better still - locked away in 100 cupboards upstairs.

That's why corporate espionage is getting easier. Thanks to Business Intelligence Software.

Corporate Intelligence Spies:: Should we be looking Beyond the Obvious?

Brand Killer Robots reveal::

If you came across an Al kaeda cell, would you think of calling your local policemen to deal with it - or would you call MI5, MI6 or CIA? So why do managers think that corporate spies can be repelled using IT security policies or Human Resources Personnel? After all, Corporate spies have a very different motive and capability than a 16 year old hanging off an ADSL modem out of a basement in Belarus or a stupid incompetent employee pressing all the wrong buttons.

Corporate Spies are only interested in three things:

1. Gaining 'just enough' access to the target organisation

2. Perpertrating a specific attack, such as sabotage, theft and/or installing a trojan horse.

3. Exiting out - or better still, being exited out - under a cover.

Corporate spies have absolutely no interest in the organisation other than gaining sufficient access to target areas, then maintaining and leveraging their position in the organisation until such a time as they have infilitrated their tradecraft to achieve the desired result.

A spy will not play the same games as security personnel expect them too. They will not attempt to gain access to a system, whilst sitting at a desk with a fixed ip address, so system logs can be later scanned and reveal their attempts at locating data inside the managing directors PC folder. They will not make any specific requests themselves for access to any resource, so they build up a record of attempted breakins. They will not allow themelves to be seen to see or do anything that can be classified as 'out of the ordinary'.

What they will do is take more documents to the photo copier than they needed to (maybe pocket the ones they weren't supposed to be copying). Perhaps print 2 copies of the same document (under the guise of being a mistake if detected -"only meant to print one guv!") and then fold the second copy into a paper airplane and slip it in to the top pocket.

What they will do is elicit certain types of information from staff by offering stories of past experiences designed to provoke the right kinds of response and to develop trust.

What they will do is to alter the AT settings on a modem to enable them to dial in to the network at midnight and lift one or two interesting company files.

What they will do is look technically inept, to enable them to engender pity and support from their peers, which usually leads to access to further information.

What they will do is test the strength of executive accumen and corporate strategy by demonstrating potentially viable business solutions or scope the security officers level of knowledge and confidence, by mentioning they have recently read an article on a new security threat, that they know you won't have implemented measures for.

No, the activities of the corporate spy will not be halted by conventional approaches to information security or personnel management.

They can only be halted by trained counter intelligence operatives. People who look beyond the obvious.

Commercial Analyst or Spy - Did you open yourself up to Corporate Espionage?

Brand Killer Robots reveal::

In the world of commercial analysis, it seems that there are a hundred different job titles for almost every role. Everything from technical, networking, data and systems analysts on a technical level and business analysts, information analysts, competitive and business intellgence analysts on a business level. Then there are even more specialised types of analyst such as stock market analysts, underwriting analysts, financial analysts and business systems analysts.

With such a diverse array of analysis talent on show, how can hiring managers ensure they are selecting the most appropriate level of analyst - and more importantly hiring analysts they can trust? In other words, how do they ensure that they are hiring people who have the right intentions - not the wrong intentions? How can they tell when they interview them?

It is our experience that many UK executives are failing to conduct proper checks on analysis staff prior to recruitment, prefering to protect the company from any hiring misjudgements by offering short-term contracts or exercising rights by extending periods of probation.

Whilst employment law may protect companies like this from dealing with analysts who have somehow not met the conditions, it does not protect the company from industrial espionage.

In a recent study, a comparative analysis was conducted which investigated the behaviour of military intelligence analysts versus that of their commercial analyst counterparts.

It was clear from the investigation that military intelligence analysts asked very different questions than that of commercial analysts. Military Intelligence analysts were highly objective, impersonal and non-specific in their approach whereas commercial intelligence analysts were highly subjective - preferring to concentrate on the specific labels and subject matters of the company, rather than obtaining a higher level objective view.

Another difference was in the methodologies of analysis used. Intelligence analysts preferred to develop open methods of analysis, using transparent communications. Whereas business analysts were happier maintaining a less open methodology with closed communications.

Suffice to say that infiltrators prefer to install devices and mechanisms to encourage staff to do the knowledge acquisition, requirements gathering and even the analysis work for them, thereby freeing the analyst to concentrate on the real purpose of their engagement i.e trawling for secrets (espionage). Whereas the business analyst would be so absorbed by the burden of using conventional business analysis techniques for acquisition and analysis that he or she would only be able to concentrate on what he was being paid to do.

If any advice were to be offered to managers in this respect it would be to hire and train analysts from within, rather than seek them from outside. In the Competitive Intelligence business, there is no substitute for loyalty.

For more information on this study email Stephen at intrench@gmail.com