Blog Entries

The New England Patriots won three Super Bowl titles in four years, building an NFL “Super Power” in what many believe to be an era of unmatched competitive poise.

However, did this team—long considered a model of success and effectiveness—cheat to do it? Did the Patriots use means described by many as “spying” to gain that competitive edge? That is the pressing question as details emerge about the Patriots breaking NFL rules by secretly videotaping the defensive signals of the rival New York Jets this past Sunday.

In the NFL, information is relayed to players on the football field from coaches on the sideline in much the same way a baseball runner receives signs from the third base coach. As in baseball, most football teams use accepted methods (such as the naked eye from across the field) to attempt to “break” the signal code and decipher the opponent’s signs, thus gaining a competitive edge. Obviously, by knowing what play the opponent intends to use, a team can better prepare to counter it.

What allegedly happened with the Patriots—and presumably occurs with other NFL teams—is no different from what goes on every day in the business world. Companies of all sizes use various means, from legal and ethical competitive intelligence analysis to covert espionage and stealing of proprietary secrets, to proactively understand their competitors’ next moves. By identifying a competitor’s next move—whether it is new sales & marketing tactics, pricing strategies, product roadmap, or M&A plans—companies can blunt the competitor’s efforts, potentially reducing the loss of their own customers along with the associated revenue and market share.

In the business world, companies use various means of acquiring this information. I basically categorize competitive analysis into one of three categories:

1) Legal and ethical: This is the use of 100% legal and ethical means of gathering and analyzing competitive information. Examples include research involving both primary sources (first person collection of information from one-on-one interviews, surveys, and focus groups) and secondary sources (utilizing existing public information).

2) Legal but unethical: There definitely is a grey line in the world of competitive research. The legal system has not caught up with (or has ignored) current competitive research trends that utilize less than honest means. Remember, just because it is legal does not necessarily mean it is ethical. While billions of dollars are spent on IT and network security to prevent hackers from stealing digital information, experts in the art of “social engineering” are going right through a company’s front door and gathering confidential and proprietary information from unsuspecting employees. Social engineering involves the manipulation of people (rather than technology) to successfully breach an enterprise’s security. Social engineering remains the single greatest security risk, despite our advances in technology, and many of the most damaging security penetrations are the result of social engineering—not electronic “hacking” or “cracking.”

3) Illegal and unethical: Examples in this category include utilizing electronic eavesdropping devices, posing as someone you are not to gain non-public information (including some types of social engineering, such as “pretexting” and “phishing”), and hiring individuals to steal confidential information.

Also in the second category above (legal but unethical) is the issue of “human error.” Employees often do dumb things, like leaving behind confidential documents at a Kinko’s. In various media circles, former Patriots staffers allege that they were paid (or that they were instructed to pay others) to search meeting rooms of the visiting football teams’ hotels for strategic game-time documents. For example, it is fairly typical for a football team to script its first 10 to 15 offensive plays, and then distribute that list to players the night before a game. Often, extra copies of these and other documents get left behind in meeting rooms that anyone can pick up. This is equivalent of a competitor in the business world searching through the hotel meeting room just used by the board of the target company.

In Pittsburgh, wide receiver Hines Ward told a news reporter this week that he suspected New England had deciphered the Steelers’ offensive plans during the January 2002 AFC championship game.

“They knew a lot of our calls,” Ward said. “There’s no question some of their players were calling out some of our stuff.”

Whether your employer is a NFL football team or a top producing enterprise, you can limit the loss of strategy and confidential information by educating employees on information loss. Making employees aware that they can’t leave confidential information lying around—whether it is in a hotel conference room or online in an industry chat forum—is 90% of the battle.

By focusing on what is immediately controllable to reduce information loss, organizations can than move to the more complex task of limiting information that is lost through illegal and potentially criminal means.Until next time,

-Tim

For more than a year, unbeknownst to people who used Internet terminals at Kinko’s stores in New York, Juju Jiang was recording what they typed, paying particular attention to their passwords.

Jiang had secretly installed, in at least 14 Kinko’s stores, software that logs individual keystrokes. He captured more than 450 user names and passwords, using them to access and even open bank accounts online. He was later caught and admitted to installing Invisible KeyLogger Stealth software at Kinko’s as early as Feb. 14, 2001.

Encrypting e-mail and Web sessions does nothing to combat keystroke loggers, which capture data before the scrambling occurs. Data cookies also contribute to the risk of identity theft. Cookies are files that help Web sites remember who you are so you won’t have to keep logging on to a site. Unless a user remembers to log out, these files could let the next person using the public terminal to surf the Web as you.

Secure public terminals should by default have provisions for automatically flushing cookies and Web addresses when a customer leaves, however many seldom have that program.

Recently, during some business travel, I became trapped at the Salt Lake City airport facing a 5 hour delay before my next flight. I decided to find some peace and quiet (and a T1 internet connection) and went into a “LapTop Lane”, a franchise company that provides private offices in multiple airports in the U.S. Each LapTop Lane has between 4-10 private offices, each which have their own desktop, which individuals can use for an hourly fee.

I got settled in and was re-charging my laptop and decided to use the provided desktop. I opened up Microsoft Explorer to see what was on the computer, and much to my horror and surprise, I discovered no less than 20 saved customer documents on the computer. One of these documents was a confidential presentation from Cisco. I am not going to re-post the entire presentation here, but here is the first page of the document where you can see it is definitely an internal, confidential document.

Users, like me, need to avoid using public terminals for anything other than general web browsing. Keep all confidential and non-public communications to your secure computer to avoid a mess, like described above.