John Nolan of Phoenix Solutions

How to Find Holes in Your Security: Morris Blatt

`Confidential’ Lessons: Nolan

Corrections or additions?

These articles by Kathleen McGinn Spring were prepared for the

September 5, 2001 edition of U.S. Newspaper. All rights reserved.

Guarding the Gates

It’s Now Easy to Grab Competitors’ Secrets,

But it’s More Difficult to Safeguard Your Own

Top Of Page
John Nolan of Phoenix Solutions

John Nolan, co-founder and chairman of the

business

intelligence firm Phoenix Solutions, says an amazing number of people

have a "Push to Talk" button. He knows this because many of

the 32 full-time and 85 part-time employees of his Huntsville, Alabama

company spend considerable time dialing up graphic artists,

accountants,

ad directors, engineers, and workers in dozens of other job

categories.

Their mission? Get unpublished information for clients about their

competitors’ new projects, products, and plans of all kinds.

The approach to unsuspecting informers goes something like this, Nolan

says: "Good morning Fred, I’ve been told you’re the smartest man

who ever wore hair on the subject of … (fill in the blank)."

Nolan finds the Freds of the world, very probably feeling at least

a little under-appreciated by their bosses, and rarely given an

opportunity

to show off their expertise, are remarkably willing to chat at length.

"Fifty out of 100 go for it right away," he says. His

employees

always identify themselves by name and company, and say they are

working

on a project for a client. Contacts who do not start talking

immediately

most often want to know who the client is. Thirty-five percent, told

that information can not be revealed, talk anyway. Only 15 percent

of the people Nolan’s trained interviewers call are unwilling to enter

into a conversation during which they will be skillfully probed for

all sorts of secret information.

While Nolan’s company makes these calls to clients’ competitors, he

finds it is considerably more productive to hunt information less

directly. "If money changes hands, information changes hands,"

he says. Any company’s customers, vendors, suppliers, PR firms, copy

centers, and accounting firms know a great deal about what a company

is about to do next. It is in this web of business partners that Nolan

instructs his employees to collect information for his clients.

This is just one of the ways that information — the new economy’s

most valuable currency — can be uncovered. Nolan’s firm

specializes

both in finding information for clients, and in helping them keep

their own vital information securely under wraps. Nolan, president

of the board of directors of the Society of Competitive Intelligence

Professionals, speaks at the organization’s NJ Education Day on

Monday,

September 10, at 8 a.m. at the Newark Airport Marriott. Cost: $135.

Call 908-979-0570. (Nolan is also author of the book,

"Confidential,"

an excerpt from which is printed beginning on page 47 of this issue.)

Nolan is a native of the Garden State. He grew up in Haddon Heights

and spent his summers in Cape May. Now living in Alabama, he points

out, as those who enjoy Cape May tend to, that he hasn’t moved all

that far, because, after all, "Cape May is below the Mason Dixon

line."

Nolan graduated from Mt. St. Mary College (Class of 1976), where

he majored in international relations and foreign policy. He then

served as an intelligence officer for the government for 22 years.

He was an Army officer, but says he was "detailed to other

agencies,"

dividing his time almost equally between intelligence and

counterintelligence.

He planned to obtain a Ph.D. and teach after leaving the Army, but

his wife nixed the idea. "She was tired of the relative poverty

of the Army life," he says, and was not eager to trade it for

the relative poverty of the academic life. She volunteered to relieve

him of family responsibilities for a time so that he could devote

time to studying business, which he did, earning advanced degrees

from the University of Central Michigan and the University of Southern

California. He founded Phoenix Consultants in 1991, and in 1997

started

up the Center for Operational Business Intelligence in Sarasota,

Florida (www.intellpros.com).

That organization provides practical intelligence training for

business

professionals.

Here are some of Nolan’s insights on corporate intelligence.

Technology has made the intelligence game easier, and more

difficult. "On the collection side, it’s immeasurably

easier,"

he says. "It used to take us weeks and months to find 75 good

sources." Thanks to the Internet, the same number of quality

sources

can now be unearthed in a matter of hours. The flip side, of course,

is that the other guy has access to the same wealth of information,

and is using it to undermine your business.

Newspapers are old news. "You don’t get intelligence

from what has been written," Nolan says. Keeping an edge requires

finding sources in the know who have not yet talked to a reporter.

Generally, leads to such primary sources are available by the hundreds

on the Internet. Look, Nolan says, for people within the target

company

who are published authors. Scrutinize job postings to find individuals

who have worked for the company, or are knowledgeable about the work

it does.

Foreign competitors may be a big threat. Nolan finds some

of the companies that are most aggressive in seeking intelligence

are based overseas. Common ploys, he says, include dumpster diving

to piece together projects from discarded notes, and staging fake

job fairs.

In the latter instance, the company trolling for inside information

advertises positions calling for the exact skill set people working

on the project it wants to know about are likely to have. Stated

salaries

and benefits are generous enough to entice candidates. When applicants

are interviewed it is only natural that they talk about what they

are doing in an effort to demonstrate that they would do a good job

for the new "employer." Nolan has worked this scam himself

in the course of helping clients identify ways their information could

leak out, and finds it is very effective indeed.

Security can vary by geographic region, and by

industry.

Nolan says that, while manufacturing employees in the Mid-West may

wear ID badges and pass through security checkpoints without

complaint,

the same measures could send Silicon Valley software developers in

search of new employment. Employers need to balance a need to keep

information secret with allowing their workers to operate in an open

atmosphere, and must know how far they can push.

Human beings purely love to talk — especially about

themselves

and about their work, says Nolan. A tendency to complain is pretty

much a given, too. That being the case, employers need to appeal to

their workers’ and business partners’ self-interest in urging secrecy.

Talk to them, Nolan says. Explain that keeping a project under wraps

can make the difference between a big market lead, and none at all.

Between big raises, and a freeze on wages. In the South, says Nolan,

such a talk is called a "Come to Jesus" meeting, and it can

be very effective in silencing those "Push to Talk" buttons.

Top Of Page
How to Find Holes in Your Security: Morris Blatt

Morris Blatt, a competitive intelligence

professional,

tells about a meeting with a client company. The president and eight

high-ranking staffers were in attendance. "What is your biggest

security problem?" Blatt asked. "`Leaks to the press,’"

replied five of the nine executives.

Blatt knew press leaks were the least of that company’s problems,

and he proved it. He set up another meeting early in the morning of

the following Wednesday. Arriving in the conference room with the

executives, Blatt watched as they read the whiteboard, which said

"Blatt: 8:30 Wednesday morning."

He had written the message hours before, in the dead of night, long

after the building was officially closed. He proceeded to hand the

executives 50 business cards, a couple of employee ID badges, and

a stack of documents he had collected in his unchallenged nocturnal

stroll through their offices. Sure, that company needed to worry about

press leaks, but first, says Blatt, it had to go out and hire a chief

of security.

Owner of three-year-old On Trac Solutions, a West Windsor competitive

intelligence company, Blatt is also a longtime member of SCIP, the

Society of Competitive Intelligence Professionals. He speaks at the

organization’s New Jersey Education Day on Monday, September 10, at

8 a.m. at the Newark Airport Marriott. Cost: $135. Call 908-979-0570.

Blatt holds a bachelor’s degree in engineering from Polytechnic in

Brooklyn (Class of 1968) and an MBA in finance from Monmouth

University (E-mail: ontrac@hotmail.com)

His interest in competitive intelligence began nearly 30 years ago

at one of his first jobs. He was working in operations for a chemical

company and wondered what the competitors were doing. It was a

question

that continued to interest him as he moved among industries and job

titles. Gathering information on what the competition is up to is

a function of many corporate divisions, he points out. Marketing,

pricing, technology, strategic planning, sales, research and

development

— all of these departments need to know who their competition

is, and what it is doing, or not doing.

After stints in chemicals, electronics, and telecommunications, Blatt,

who had been volunteering up to 40 hours a week to SCIP, and spending

significant time volunteering for the Special Libraries Association

too, decided to become a full-time competitive intelligence

consultant.

"It was a logical extension of what I was doing," he says.

Blatt does not sell data, but rather sets up competitive intelligence

departments, and offers training in gathering data, disseminating

it throughout layers of management, and acting on it. He also performs

security audits.

Blatt himself has a mighty appetite for data. "I read 400 to 500

annual reports a year, 200 magazines a month, and five newspapers

a day," he says. He also spends time surfing the Internet for

information and says, "what you don’t know about data will kill

you."

No casual reader, Blatt can extract much of what he needs from a

magazine

in one-and-a-half minutes flat. First, he looks at the advertising.

Who is spending big bucks on ads? And, perhaps more important, whose

ad budget obviously has been slashed? Then he reads letters to the

editor. Next, he looks for new product announcements. Only then does

he turn to the articles, clipping the ones that look interesting,

and filing them in a cross-referenced system for easy access later.

"Ninety to 95 percent of all information is publicly available

— if you know where to look," Blatt says. Beyond magazines

and newspapers, companies would do well to spend time at town hall,

where corporate building plans are likely to be on file, and even

at the local fire department, which will contain records of what

quantity

of which chemicals a corporation is storing where. (Information that

can go a long way toward giving away what the company is

manufacturing.)

Even press releases by elected officials gathering glory by announcing

plans to reel in a new corporate citizen can be valuable.

While Blatt says he "strongly believes in ethical standards,"

he knows that not everyone does. "Oh yes," he says, "there

are people who buy garbage, and try to put shredded documents back

together. There are dumpster divers."

Dumpster divers are unlikely to be a company’s biggest information

security problem, though. The enemy most likely is within, and in

many cases has no idea that he is giving away company secrets. What

is the one document you need to know all about a company? Blatt asks.

The answer, surprisingly enough: The phone directory. Get that, he

points out, and you know exactly how many secretaries, chemists,

engineers,

vice presidents, and media relations employees a company has, and

very likely, how the company’s departments are organized. Yet, he

says, few employees know the value the document has to competitors,

and take measures to safeguard it.

While gathering intelligence on competitors is vital to business

survival,

at least equally important is keeping the intelligence that

competitors

want away from them. Here is Blatt’s advice for keeping proprietary

information under wraps.

Educate employees on what is proprietary. Like the phone

directory, every company has documents, plans, products under

development,

legal issues, and hiring plans it does not want its competitors to

know about. Give employees guidelines. Let them know what information

is to stay in-house. And, if possible, mark documents — like that

phone directory — with a stamp that reads "proprietary."

Watch those loose lips. Blatt tells of flying out to a

meeting with a client, and, by chance, drawing a plane seat in a row

directly behind two of that client’s employees, who merrily chatted

about proprietary company information all the way across the country.

On another occasion, he ate in a company’s cafeteria — a big

"Visitor"

badge affixed to his lapel — while employees all around him talked

about new products under development. Employees should be drilled,

he says, on not talking about their company’s proprietary information

in public places, and particularly not in restaurants near the

company’s

offices.

Be on guard at industry conferences. There are certain

venues, says Blatt, where companies in a particular industry gather.

"All your competitors are there," he says. "You want to

look good. You get caught up in the moment." At such times, it

is especially easy to let secrets slip.

Realize E-mail is not secure once it leaves the company’s

firewall. Twice in the last year, Blatt has had E-mails

intercepted.

On one occasion, a person added an obscene sentence to the beginning

of an E-mail going to a client. "People don’t realize," Blatt

says, "that if you send an E-mail to Philly, it doesn’t go

directly

there." The message may pass through eight servers, and at each

location it can be opened, read, and even modified.

Turn off computers at lunch time. Most employees simply

stand up and walk out at lunch time, leaving whatever document they

have been working on up on their computer screens. Visitors walking

through are free to read whatever is there, possibly learning about

agreements or products the company had planned to keep under wraps

for months.

Lock up at night. Not only should doors be secured, but

employees should sign off from their computers, and should stow

sensitive

documents in locked drawers.

As for press leaks, Blatt says this is an area of concern. In

general, though, he says "don’t be paranoid. Getting information

out can be a good thing." Just make sure employees know which

subjects are off limits — things, for example, like the fact that

a consultant was able to roam freely through the offices well after

the last employee had left for the night.

Top Of Page
`Confidential’ Lessons: Nolan

In this excerpt from his book, "Confidential"

(HarperBusiness,

1999), John Nolan, former government intelligence officer, and founder

of both a competitive intelligence company and a competitive

intelligence

training institute for executives (see page 14), talks about how to

protect vital company information.

An Example from Coca-Cola: In their quest to keep

everything

under wraps, some organizations — both government as well as

business

— often miss these simple truths and expend precious resources

in a wasted effort. They fail to follow Bismarck’s admonition, "He

who seeks to protect all, protects nothing."

While it could be argued that there really are some things in a

government

program environment that demand complete protection, it’s rare that

a business can afford to keep absolutely everything about their

activities

secret. For example, the Coca-Cola formula story. They know what to

protect, and they’ve taken virtually every step known to man to keep

it secret, and it seems pretty clear that they want to protect it

forever. Yet they don’t go so far as to keep their product off the

shelves lest someone break down a sample into its precise ingredients,

quantities, and process, and be able to replicate it. No company can

stay in business if it keeps its products or services under lock and

key so that a rival can’t see them, and at the same time keeps them

away from customers too.

Let’s stay with the Coca-Cola formula for a little while longer as

we try to figure out this problem of knowing what to protect. Clearly,

anybody who has ever heard from Coca-Cola’s lawyers has learned that

trying to get the formula would be a long and very costly process.

That goes for anyone who has spent — and is making — billions

on a product that is worth protecting through all means possible.

Are you going to try and gain some competitive advantage from

Coca-Cola-or

any of your competitors by attacking their strongest and most

vigorously

defended asset? Hardly. Instead, you’re going to attack other aspects

of their business base. You’re going to go after their distribution

channel, for example. New packing approaches. New co-branding and

strategic relationships. New line extensions and where they’re headed.

Information about these kinds of things is what a competitor would

be after. Information that the rival can use either tactically or

strategically. That’s the information that Coca-Cola, you, or anybody

else is going to have to protect.

The Trojan Tractor Trailer: In the mid-1980s a senior

government official realized that he needed to provide some protection

for a major project that he’d been involved in for some time. He

called

for some assistance in protecting his project from disclosure,

especially

to the Soviets.

The planning meeting started poorly and went downhill rapidly. He

started off by saying that the program was well enough along that

it looked like the technology would work, and that it would be another

18 months before it could be fielded. In the meantime, it absolutely

needed to be kept under wraps.

A few well-pointed questions got some awkward answers. "How many

people know about this project?" When the answer was "over

300," eyes began to roll, especially after hearing that there

was no "knowledgeability list" of those who had been made

aware of the project. But at least it was a place to begin fixing

the problem.

The next answers were even worse. The project had been going on for

over three years at that point, and one room held nearly 50 safes,

all filled with the written materials and technical drawings related

to the technology. Virtually no other measures had been taken to

protect

the project, its open contracting for research assistance, or any

of the other, myriad elements that should have been in place for

years.

The recommendation: get 25 junior people with appropriate security

clearances, get 25 photocopy machines, 50 more safes, and an

eighteen-wheeler.

Photocopy everything in all the safes, and put the copies into the

new safes. Put the new safes on the tractor trailer and drive it into

Washington. Drive it through the front gates of the Soviet embassy

and leave it. Abandon it. In their suspicious, paranoid, and

xenophobic

way, the Soviets will look at every single document and every element

as if it was all part of a massive deception operation. They’d spend

far more than the 18 months needed to safeguard the new technology

in trying to figure out what was true and what was not, and they’d

be paralyzed. In the meantime, the project could go forward with new

protections built in.

Needless to say, the out-of-the-box solution set was not what the

humorless bureaucrat was looking for. But you get the point.

Cues and signals: You have to look for all those cues

that, when aggregated and analyzed, tell the tale. Cues and signals

that can be elicited from the person who has them. The person who

doesn’t attach any particular significance to the cues and signals

because he doesn’t understand the piecing together of the jigsaw

puzzle

that is the hallmark of the intelligence process. Cues and signals

that tell a competitor where your firm is headed.

Cues that are sometimes individual items themselves. Cues that are

sometimes patterns that reveal how and when something is going to

happen. Cues and signals like the pattern that one of your competitors

likes to make new product launch announcements with a great deal of

fanfare at a particular resort — and because they made the travel

and hotel reservations six months early, that provided their main

competitor an early warning to counter the product.

J&J Intercepts BMS’s Signal: Johnson & Johnson was making

a gazillion with America’s Number One Pain Reliever Tylenol.

Bristol-Myers

really thought that there was a place in America’s bloodstream for

another painkiller and developed Datril. They test-marketed it in

Peoria, Illinois, and Albany, New York, two bastions of

headache-suffering

Middle America. Two cities that they’d used many times for test

marketing

in the past. Two cities that helped Johnson & Johnson identify when

and what new products Bristol-Myers was planning on launching. Two

cities that were part of Bristol-Myers’s pattern of cues.

Johnson & Johnson’s monitoring of these patterns revealed the Datril

test marketing. Cues that revealed that Bristol-Myers was going to

attempt a price penetration for Datril at $1.89 a bottle, compared

with Johnson & Johnson’s $2.89 a bottle for Tylenol. Cues that

revealed

Datril’s entry on April 15. Cues that led Johnson & Johnson to tell

Mr. and Mrs. America and all the ships at sea that in making Tylenol

America’s number one pain reliever, J&J had recovered their

developmental

costs years earlier than projected. Cues that let J&J tell the folks

at home that J&J wanted to pass along savings to them in the form

of an immediate price reduction to $1.89 a bottle, complete with

rebate

coupons for anyone who’d bought a bottle in the last month. Cues that

let J&J do this on the first of April. Cues that let J&J completely

disrupt the entire Datril advertising campaign, to include the media

blitz that would have to be put on hold until the new Datril strategy

could be developed. Cues that let J&J take the offensive in a campaign

that eventually made the media refuse to take any Datril ad space

until they had their act together.

Cues that kept Datril from gaining anything more than a 1 percent

share a year later, when Tylenol was able to withstand the

Tylenolcyanide

murders. Imagine. Something that is supposed to help people overcome

pain winds up killing them instead. Certainly, not through any fault

of Johnson & Johnson’s. But what would’ve happened to Tylenol if

there’d

been a strong number two at the time of the murders? Anybody’s guess.

But it wasn’t Datril.

— Kathleen McGinn Spring


Next Story


Corrections or additions?


This page is published by PrincetonInfo.com

— the web site for U.S. 1 Newspaper in Princeton, New Jersey.

Facebook Comments