Competitive Intelligence in practice

Application of the automated data collection method from the company website as a method of competitive research

The common case today is that, in order to achieve the best results, the marketing and human resources sector often on the company's official website, or on platforms such as social networks, announces information about the company above the required level of information, which presents a serious security threat in case of these sources of data are monitored and processed by automated data collection and processing tools. For example, if we track changes on a commercial website for a long time, we can get the following information, business methodology or formula:

•  Pricing strategy 
•  Strategies related to goods in stock and / or inventory (when it comes to companies that provide specific services that directly depend on the inventory that they apply) 
•  Are there problems with suppliers?
• Who are the suppliers?

It is important to emphasize the fact that it is impossible for some technical system to substitute for the consciousness of the enploye. There is no hardware or software that can replace the awareness of danger. The problem of leaking information is even more pronounced in the markets for the sale of apartments, books, collectibles. Furthermore, it is important to draw attention to the safety resulting from unwanted publications. For example, Michael Schrenk at the DEFCon 2014 conference, in connection with this, stated the following: "If we keep track of posts on the official site of certain businesses for a long time, especially those specialized, you probably have enough information to be a bookkeeper for them."

 

In terms of trade secrets, it is important to note that many development projects can hardly be hidden from the competition, and a particular problem is that employees in the company often do not understand the way in which information can be collected. For example, announcing a job vacancy for a longer period of time can serve both to build a portfolio of competencies of a company, but also to find and define the most closely guarded development and strategic plans of the company. To obtain this kind of information, there is often enough publicly available information published by a competing firm in a narrative that is also related to public information on the state and directions of market development. A special security risk that is often not recognized is the announcement of a surplus of information through an ad for a job, especially since these data can be used both for social engineering and for reverse engineering. The list of employees is a trade secret because it directly corresponds to the competence of the company, especially in cases when the company falsely presents itself as having competencies in those areas where do not have it. On the other hand, this information is often publicly available or easily verifiable in state registers such as tax administration, pension or health insurance fund. An additional problem for a company that wants to achieve a competitive advantage by false presentation or wanting to preserve anonymity in relation to participation in some projects is the fact that this public information can be triangulated and combined with data on some concrete projects. The most common scenario for this type of security processing of entities is the way in which software anonymously monitored  some publicly available data source, for example the official website of a competing company, and from it, or changes that occur on it, is built by a database data that will serve for reporting. This kind of work resembles research journalism, so it is clear that a good number of security experts are coming from this industry right now. A particularly good way to find the hold of opinions and behaviors served by the top management is to listen to DNS records, especially since the DNS record represents a past history and is a great tool for timing events, but more importantly, an idea, especially in cases of political and marketing campaigns or businesses requires this type of publicity or public debate and consensus.

The basic security advice in terms of protecting the confidentiality of essential business information, and in particular trading secrets, would be the top management of any company - if you are thinking about security, ask yourself what happens if your official site is monitored and all data from it terminated in a some database. 

One way to prevent the unwanted swelling of information is to introduce a mandatory security audit practice over all information to be publicly disclosed. Only allowed information, checked by all known security techniques before publishing, can be used in the public domain. The other way to secure is the application of policies at the level of the active directory, business software and network devices, and the policy of protection measures that all employees are aware of and regularly maintained and improved in order to be current with threats and risks. Finally, the third way to secure is tracking hosts that track your site, or attempting to compete, to listen to your official communication channels with the world - in most cases, this is allowed and easily done by using cookies technology on your site to collect the IP address of the visitor, the mack address , and access times, as these technologies provide information on whether someone is watching you, when and how much he or she is interested in having some information, and in accordance with the same can act by preventing leakage of information or a counter espionage methods, or by methods of deliberately delivering misleading information.