Back in 1996, GoodFaith Pharmaceuticals was working on a drug discovery that would catapult its market position from the then 18th spot in its space to the number two slot.
The company was betting its growth on the development of a drug that would improve recovery times of a widespread illness thus saving billions of dollars in terms of patient 'downtime' and prevention of the aliment.
GoodFaith had cracked the basic molecular structure and was now working towards prototyping the most cost effective production route it would take.
The company had three options. The first was to use their existing patented molecules as the basic component, the second to license parts of the process from the market, and the third to leverage the enormous potential of certain herbal plants that their scientists had recently discovered.
One of GoodFaith's competitors -- StreetSmart -- meanwhile was also working hard. But its approach was more 'imaginative.' In addition to its traditional research group, StreetSmart hired a team of 'advisors' who were mandated to counsel them on the likelihood of success of GoodFaith's efforts and, particularly, to predict which one of its three approaches was most likely to succeed.
In early 2001, the advisory team called on StreetSmart to give its recommendations on the approach that GoodFaith would be most successful with. Not the formulations or the specifics of compositions -- just the fact that the herbal route was the one most likely to be successful.
StreetSmart's management pumped in all their resources and mindshare into this approach and beat GoodFaith to the market by 8 months. By the time GoodFaith was in a position to launch, StreetSmart held a dominant market position and consumer mindshare.
This failure wiped out GoodFaith's ambitions and any chance of heading for a top slot. Industry analyzers attributed the phenomenon to StreetSmart's brilliant research and marketing and GoodFaith's lethargy in a fast and competitive industry. A small team of people knew otherwise.
This story is fictitious. Or is it?
Consider the following. Earlier this year, a report to the European Parliament, asserted that American and European companies routinely engage in corporate espionage.
And many foreign corporations regularly receive help from intelligence-gathering networks in their own governments, which use the latest in information-monitoring technology to keep tab on threats to the state. According to the United States Chamber of Commerce, corporate espionage costs American shareholders at least $25 billion a year in intellectual property losses.
If you thought that this sort of skullduggery was limited to the shady companies or nameless government agencies, think again.
Oracle chief Larry Ellison himself had ordered professional snoopers to pilfer the garbage of his archrival Microsoft boss Bill Gates.
Procter & Gamble was caught doing the same to Unilever.
Software maker Avant lost almost 50% of its stock value in the spring of '97, when its top executives were caught stealing trade secrets.
And the same decade witnessed the drama of the high profile corporate espionage case of GM's Jose Arriortua. He had defected to Volkswagen with blueprints of a 'super-efficient' assembly plant that threatened to end the dominance of VW in the small car segment.
Closer home, Mahindra & Mahindra Chairman Anand Mahindra summarised the situation aptly when he said: "The assets of our company are not what we hold in our inventory today -- but what we are going to hold in our inventory tomorrow."
Espionage is as old as mankind, so what is new?
Plenty actually. The core business driver of the 21st century is 'intelligence.' The gap between the winners and the also-rans is as slim as a few weeks or in some instances just a few days. Intellectual property is indeed all-powerful.
Years of research can be lost by the theft of blueprints or formulations. Months of M&A work goes down the drain because competition steals the final figures on offer. In some industries, like large construction projects, the final tenders are transported much like gold bullion -- because the stakes are as high.
Why corporate espionage is easier now
Advent of the information age with its tools and technologies has made it much easier to 'gather' information and analyse intelligence.
If you want a first hand experience of this, just type your own name into a search engine like Google. You will be amazed at the amount of information that is available on you -- in the open domains. Schools you attended, groups that you belong to, professional certifications that you might have attained, your address, phone numbers, e-mail ID, papers you may have written, conferences you have attended, companies you have worked with, all interviews / articles that you have been featured in and usenets that you belong to.
And remember, this is just at the first level of information.
Trained intelligence analysts can easily ferret out deeper information through masqueraded phone calls, purported interviews of the victim company's employees, going through their garbage, creating 'e-relationships' with employees or joining usenets frequented by them.
Sometimes, in less than a few weeks, analysts could map the entire company, its core competitive advantages, including intellectual property, future strategies, human capital and the skeletons in its cupboards.
And all this is without actually penetrating the company -- so technically, not doing anything illegal. Once actual penetration begins, virtually nothing can be hidden from the determined and well-trained attacker.
The second issue that places most companies at risk is lack of employee awareness and education. At times, the management is to blame for the myopic approach that IT security should safeguard its intellectual property. There is an old saying in the intelligence circles: 'Those who believe that technology alone will protect their intelligence problems, don't know technology and don't know their problems.'
The misplaced over-dependence on technology to protect the company's intellectual property is ridiculous, given that, even in the most 'digitised' companies, over 70 per cent of critical information is still in non-digital forms.
Companies that invest hundreds of thousands of dollars in firewalls and PKIs (public key infrastructure) forget that over 15 per cent of their employees are talking to headhunters and prospective new employers (or competition) at that very moment. Or that several third parties and temporary employees are swarming all over their organisation with complete access.
About a year ago, I was called to advise a bank on its vulnerabilities. We were discussing a comprehensive penetration testing exercise to determine the bank's adequacy in terms of protection. To my incredulity, the CTO insisted that I test the bank only from the 'outside'.
That is to try and enter through the firewall and DMZ (de-militarised zone) only. On my questioning the rationale of such a limitation, I discovered that the bank had invested in building a strong firewall and a DMZ (I think a Reserve Bank of India regulation also played a role) and therefore believed that the intruder would come in only through the well-defended route.
Students of military history will remember the similarities to the Maginot Line syndrome. During the Second World War, French commanders insisted that the Germans would attack them on the Maginot Line simply because they had invested heavily in constructing it. German Panzers merely went around this 'unbreakable' wall and routed all troops inside the wall!
It might be worth remembering that the attacker is interested in the effect of entering the organisation, not in the experience of entering through a fortified technology.
But the single factor that makes corporate espionage devastating is its transparent nature. Physical assets -- when stolen get noticed and things can be attended to rapidly. But a company could be getting robbed of intellectual property or competitive advantage for years and might still not know what exactly is going wrong.
Competitors could be constantly beating them to the market, underbidding, or simply developing innovations cheaper and faster. And yet the management could probably attribute it to bad luck or worse. Once is happenstance, twice is coincidence, but if it happens more that three times, you can be sure that it is deliberate enemy action.
What can management do?
Just like most derisking strategies, protecting intellectual
capital is a fairly sophisticated initiative and there are many things that companies must do to protect themselves.
1. Think of protection inward out. We constantly advise companies on an obvious, yet often missed, fact. All companies have hundreds of security experts willing to work for free -- if only someone told them how!
Employees must form the organisation's first line of defence. Educated and aware employees are several times more efficient than the most sophisticated of security systems and available at a fraction of the cost.
2. Think Information Security, not IT Security. IT certainly needs to be secure and the tools have their place in an organisation. But it is (and must be understood to be) a subset of the InfoSec umbrella. Designing of robust processes and standard operating procedures such as classification of information and handling instructions for classified information (in all its forms) is an important part of this step.
Make InfoSec a part of the management KRA. This involves a cultural change in thinking, especially in the Indian subcontinent where elements of privacy and data protection are traditionally absent.
Process interlocks and change management initiatives take time and expertise to implement, but once in place they improve efficiencies dramatically because they are self-sustaining initiatives.
Conclusion
Kevin Mitnick, arguably one of the most notorious 'hackers,' had confessed that most of his hacks were nothing more that skillful lying coupled with ignorance of employees and sheer apathy of the management.
Yet while millions of dollars are spent in trying to beef up IT security, very few organisations realise that the best defence against corporate espionage begins with an attitudinal change among its people. Most continue to invest in expensive firewalls when they could be building efficient 'humanwalls'
The author is Chief Executive Officer, Mahindra Special Services Group.
More from rediff