However, did this team—long considered a model of success and effectiveness—cheat to do it? Did the Patriots use means described by many as “spying” to gain that competitive edge? That is the pressing question as details emerge about the Patriots breaking NFL rules by secretly videotaping the defensive signals of the rival New York Jets this past Sunday.

In the NFL, information is relayed to players on the football field from coaches on the sideline in much the same way a baseball runner receives signs from the third base coach. As in baseball, most football teams use accepted methods (such as the naked eye from across the field) to attempt to “break” the signal code and decipher the opponent’s signs, thus gaining a competitive edge. Obviously, by knowing what play the opponent intends to use, a team can better prepare to counter it.

What allegedly happened with the Patriots—and presumably occurs with other NFL teams—is no different from what goes on every day in the business world. Companies of all sizes use various means, from legal and ethical competitive intelligence analysis to covert espionage and stealing of proprietary secrets, to proactively understand their competitors’ next moves. By identifying a competitor’s next move—whether it is new sales & marketing tactics, pricing strategies, product roadmap, or M&A plans—companies can blunt the competitor’s efforts, potentially reducing the loss of their own customers along with the associated revenue and market share.

In the business world, companies use various means of acquiring this information. I basically categorize competitive analysis into one of three categories:

1) Legal and ethical: This is the use of 100% legal and ethical means of gathering and analyzing competitive information. Examples include research involving both primary sources (first person collection of information from one-on-one interviews, surveys, and focus groups) and secondary sources (utilizing existing public information).

2) Legal but unethical: There definitely is a grey line in the world of competitive research. The legal system has not caught up with (or has ignored) current competitive research trends that utilize less than honest means. Remember, just because it is legal does not necessarily mean it is ethical. While billions of dollars are spent on IT and network security to prevent hackers from stealing digital information, experts in the art of “social engineering” are going right through a company’s front door and gathering confidential and proprietary information from unsuspecting employees. Social engineering involves the manipulation of people (rather than technology) to successfully breach an enterprise’s security. Social engineering remains the single greatest security risk, despite our advances in technology, and many of the most damaging security penetrations are the result of social engineering—not electronic “hacking” or “cracking.”

3) Illegal and unethical: Examples in this category include utilizing electronic eavesdropping devices, posing as someone you are not to gain non-public information (including some types of social engineering, such as “pretexting” and “phishing”), and hiring individuals to steal confidential information.

Also in the second category above (legal but unethical) is the issue of “human error.” Employees often do dumb things, like leaving behind confidential documents at a Kinko’s. In various media circles, former Patriots staffers allege that they were paid (or that they were instructed to pay others) to search meeting rooms of the visiting football teams’ hotels for strategic game-time documents. For example, it is fairly typical for a football team to script its first 10 to 15 offensive plays, and then distribute that list to players the night before a game. Often, extra copies of these and other documents get left behind in meeting rooms that anyone can pick up. This is equivalent of a competitor in the business world searching through the hotel meeting room just used by the board of the target company.

In Pittsburgh, wide receiver Hines Ward told a news reporter this week that he suspected New England had deciphered the Steelers’ offensive plans during the January 2002 AFC championship game.

“They knew a lot of our calls,” Ward said. “There’s no question some of their players were calling out some of our stuff.”

Whether your employer is a NFL football team or a top producing enterprise, you can limit the loss of strategy and confidential information by educating employees on information loss. Making employees aware that they can’t leave confidential information lying around—whether it is in a hotel conference room or online in an industry chat forum—is 90% of the battle.

By focusing on what is immediately controllable to reduce information loss, organizations can than move to the more complex task of limiting information that is lost through illegal and potentially criminal means.Until next time,

-Tim

Jiang had secretly installed, in at least 14 Kinko’s stores, software that logs individual keystrokes. He captured more than 450 user names and passwords, using them to access and even open bank accounts online. He was later caught and admitted to installing Invisible KeyLogger Stealth software at Kinko’s as early as Feb. 14, 2001.

Encrypting e-mail and Web sessions does nothing to combat keystroke loggers, which capture data before the scrambling occurs. Data cookies also contribute to the risk of identity theft. Cookies are files that help Web sites remember who you are so you won’t have to keep logging on to a site. Unless a user remembers to log out, these files could let the next person using the public terminal to surf the Web as you.

Secure public terminals should by default have provisions for automatically flushing cookies and Web addresses when a customer leaves, however many seldom have that program.

Recently, during some business travel, I became trapped at the Salt Lake City airport facing a 5 hour delay before my next flight. I decided to find some peace and quiet (and a T1 internet connection) and went into a “LapTop Lane”, a franchise company that provides private offices in multiple airports in the U.S. Each LapTop Lane has between 4-10 private offices, each which have their own desktop, which individuals can use for an hourly fee.

I got settled in and was re-charging my laptop and decided to use the provided desktop. I opened up Microsoft Explorer to see what was on the computer, and much to my horror and surprise, I discovered no less than 20 saved customer documents on the computer. One of these documents was a confidential presentation from Cisco. I am not going to re-post the entire presentation here, but here is the first page of the document where you can see it is definitely an internal, confidential document.

Users, like me, need to avoid using public terminals for anything other than general web browsing. Keep all confidential and non-public communications to your secure computer to avoid a mess, like described above.

The IT managers surveyed identified the following threats as the top risks to their business:

• 74% - employees clicking on email links from unknown sources
• 53% - employees accidentally sending company email to the wrong address
• 50% - employees deliberately or accidentally accessing adult websites from work

73% of employees surveyed admitted to engaging in at least one of those behaviors, 54% admitted to more than one, and 27% admitted to engaging in all three. This clearly points to a huge lack of training. First and foremost, every company should have an acceptable internet use policy that they actively enforce. Upon employment, every person should receive training that clearly explains these policies and why they are important to keep the company’s confidential information safe. Preventing risky behaviors like these should be one of any IT manager’s top priorities.

41% of employees said they believed their IT department was protecting them from every internet security threat, and 45% said their IT department provided some protection but they weren’t sure how much. The bottom line is that most companies need better security policies in place, IT departments need to be better able to implement those policies and procedures, and employees need better training to understand what their responsibilities are to protect the company’s confidential information. If your company does not have an internal resource with the expertise to help you achieve these goals, the best step to take is to hire an outside consultant who specializes in training companies in your industry.

Monster waited to send out the letter because they thought they could contain the inevitable PR disaster, but have instead attracted even more negative attention.  If handled properly, some data leaks never need to become public knowledge, but ones of this scale need to be handled by notifying the affected people ASAP.

It is a good bet that Monster did not have a policy in place before hand to deal with this type of situation, so when it happened they inevitably mishandled it.  Companies need to have policies and procedures in place for handling all different sizes of information leaks before they happen.  They need to know when they can handle the situation quietly behind the scenes, and when the public has to be notified.  Now in addition to dealing with the damage caused by the original information leak, Monster has to handle the additional scrutiny for waiting so long to tell people.

Although you need to be careful anytime you allow a consultant to handle your confidential information, you have to be even more cautious when you allow sensitive data to leave your premises on a laptop. The lost laptop itself may be only worth $2000 - $3000 dollars, but according to the numbers from the 2002 Computer Security Institute/FBI Computer Crime & Security Survey, the actual financial loss of a laptop theft is estimated to be $89,000. Although this number is shocking at first, consider the manpower involved in just contacting the 280,000 people, explaining exactly what was stolen, and advising them the best way to secure their finances. It wouldn’t be surprising if the loss of this particular laptop costs New York City millions of dollars.

The most obvious precaution to take with laptops that leave the premises is to make sure the user never leaves them unattended; however, the users are human and can make mistakes. The only way to be sure your information isn’t stolen is to encrypt all the data on the hard drive. Some hard drive manufacturers such as Seagate have started manufacturing laptop hard drives that automatically encrypt all the data on the drive. If your laptop doesn’t already have that functionality, there are numerous software applications you can use to keep your data encrypted. Good hard drive encryption can render a laptop almost useless to a thief, which can save your company hundreds of thousands of dollars in the event of a laptop being stolen.

The security issue pertains only to higher-end MFPs that digitally store copied or scanned images temporarily or on a short-term basis. These MFPs usually contain small hard drives that can be removed and accessed by virtually anyone who has a computer and a hard drive data cord. The problem is so significant that a major copier company issued a security advisory warning that the hard drives on many photocopiers can store scanned documents.

So how easy is it to obtain information or documents from these machines? I decided to do a little test of my own by going to the local Kinko’s, since our office copier lacks anything “high-end.” (That is another story.) I found a higher-end digital copier machine that had scanning capabilities. My intention was to ask a Kinko’s employee if the machines had hard drives embedded within their skeleton; however, I came across something that captured my interest. I discovered that the machine had a “recall” option where the last three items copied or scanned were still made available! I chose one of the three, and the MFP started printing out 10 copies of what appeared to be a confidential presentation from a local company that was proposing the acquisition of a large, publicly traded company. I later checked secondary research and open-source news and investor sites and discovered that the notion of a merger or acquisition with the company in question was not even being considered, much less publicly released. This could have caused a real issue for the company involved if a “get-rich quick” trader had leveraged this information in the stock market.

I then asked one of the Kinko’s employees about the hard drives allegedly installed in these machines. The employee kindly told me that these copy machines were “top-of-the-line digital MFPs…each containing 1 GB [Gigabyte] of hard drive space for storage.” When I asked how this information could be accessed, she told me that the hard drives are “easily removable” from the machines. I then inquired about how this might place personal or corporate information at risk, and I was surprised by the response I received from her: “That is definitely an issue [internal MFP hard drives], but what gets me the most is when people come in here [to Kinko’s] from area businesses and photocopy and print dozens of copies of confidential and non-public materials and then just leave extra copies laying around. I am always picking up off the printers or copiers copies of presentations marked ‘confidential,’ ‘do not distribute,’ or ‘internal company information – not for external distribution,’” the employee told me. She further told me: “And, it must be common knowledge that documents get left at a Kinko’s, because there was a guy who came in here each week and collected presentations and extra copies left on the printers or scanners. After about the fourth or fifth day, I asked him what he was doing and he told me that he worked for [name omitted – the company is a competitor of a Fortune 500 company in the area]. He was hired as the company’s competitive intelligence manager and one of the first places he goes to get his information is the Kinko’s closest to the competitor’s facility.” My jaw nearly dropped.

While I remain extremely concerned about the issue of security with digital copy machines, I am also concerned that companies are actually lurking at Kinko’s shops for competitor information. So, let this be a lesson: not only are digital copy machines not secure, it appears that employees who lack common sense are making the local copy shop a source of competitive intelligence!

This is an example of why company employees need basic awareness training about information security. Leaving confidential documents behind in public places is 100% sheer laziness. According to the Kinko’s store manager of the location I visited, “Every Kinko’s has secure shredder boxes for customers to use. We make sure that any piece of paper that goes into that box is shredded and unable to be used by a would-be identity thief or corporate intelligence agent.”

Investing in basic employee awareness training is a must to increasing awareness about confidential document security. But this story is also a good reminder that annual audits of your company’s risk level for information loss can help prevent embarrassing incidents of personal customer data loss or confidential company document loss. Understanding that office equipment and devices that hold information – either temporarily or for long periods of time – can be accidentally or intentionally transferred to criminals who wish to make a quick buck by directly using or selling this information is key to raising that awareness.

Attackers used the information they gained to send phishing emails to the victims which fraudulently claim to be from Monster.com.  Any users who clicked the link in the email had malware automatically downloaded to their computer which attempted to steal bank account details, credit card numbers, and other highly personal information.

In the future, Monster should rethink their access control policies to prevent incidents like this one from occurring.  They should provide better training to users with access to sensitive information and have strict guidelines concerning the handling of login information.  An ongoing monitoring system that watched for suspicious activity, like downloading the information for more than a certain number of people at a time, could have greatly reduced the number of people affected by this break in.

All five incidents occurred when an employee shut down a firewall during the transfer of data from one server to another. This huge mistake would have been easily preventable if the company would have had standard procedures in place for transferring confidential information, and better employee training to make sure everyone involved in the process knew and understood the guidelines. All told, the personal information of over 80,000 different patients from five different hospitals were exposed.

After knowledge of the security breaches became public, all of the hospitals terminated their contracts with Verus, but irreparable damage was already done. The most damage was done to the five hospitals who lost patient information. The affected patients will hold the hospitals responsible for the information loss, even though it was the contractor’s fault. Even the hospitals whose patient information wasn’t exposed had their reputations tarnished from the incident; after all, it was only by chance that the other hospitals lost data and not them.

Everyone who handles your confidential information is at risk of losing it, and your company will be held responsible if it ever happens. No matter how good your own internal policies and procedures are, information loss can still occur if you don’t frequently audit those of your contractors, partners, and resellers.

Last week, I was taking my trash to the outside trash bin when I discovered hundreds of service agreements for consumer cellular service scattered about the trash area. Upon closer examination, the paperwork appeared to be from a local cellular reseller that has a store in the same business park of my office. I looked closer and discovered that each of these service agreements (I counted 500 in all) had customers’ personal information on them, including their full social security number, date of birth, home phone number, address, and driver’s license number. More than enough personal information for a criminal to steal someone’s identify. I scanned one of these in for you to see bb4a8662.pdf (I blacked out all personal information so to not have the person’s identity stolen. But trust me, none of it was blacked out sitting in the open parking lot of my office complex!)

Utilizing basic common sense and shredding these documents can prevent people’s identities from being stolen. What is more, it might save your company from costly legal battles and the embarrassment of public scrutiny if this happened to you!

According to PC Magazine, “Forrester estimates that 39% of small businesses will “significantly upgrade their security environment” and 44% will “significantly upgrade their disaster recovery capabilities” this year.”

It’s even more important for small businesses to protect themselves from threats because the aftermath can be devastating.

The first step in protecting your small business is to have a Disaster Plan.

“According to the National Archives & Records Administration, 93 percent of companies that had trouble restoring their data after a disaster were out of business within 18 months.”

A disaster plan should include ways to prevent your data from being exploited. This can be done by defining proper policies within your company. It should also define how you are going to protect your data with procedure. If someone breaks your policy whether it be an employee, contract worker, or outside element you should have a procedure in place to make sure that data doesn’t get compromised. Finally, if your data is compromised, you need to be able to eliminate it from the public. If your proprietary information is being displayed on websites or other places on the Internet you need a plan to take that information down. This is where the services from webArgos becomes invaluable.

“With today’s technology and tools, keeping a business safe doesn’t have to be a difficult or time-consuming process.”