A friend of mine, Robert Bugai, directed my attention to a fascinating article dealing with the recent Defcon conference in Las Vegas. Thanks, Robert.
So what is Defcon? It is a self-styled computer hacker convention.
The CNN article details an event at the conference, a contest, where an individual targets a specific company and tries to develop information that would help hackers, covering a whole series of questions in 20 minutes. The lesson for the attendees is that hackers “can pry secrets loose from America’s biggest and most guarded corporations” by making a phone call and using “a really good story”.
Some of the attendees at Defcon are in the business of protecting companies against computer hackers and what they describe as “social engineering” hackers. So what are social engineering hackers? They exploit human weaknesses to enhance their hacking efforts (that’s my take on it).
Anyway, they use the contest to illustrate the point that companies are as likely to lose important information over the telephone to strangers as they are to lose it to computer a hacker working from some anonymous location – again, that is my take.
What is interesting is that the competitors, for this is actually a contest, are given two weeks to gather background information on the target and even one supposes the individuals they may call. And where do they get this critical background information? From corporate websites and social networking sites, like LinkedIn.
From there, the competitors develop a “patter” and call an individual at the target company. While they are not seeking personal information like Social Security numbers, they are seeking information that could be critical to a computer hacker, such as information on the computer operating system, the type of computer, and even what company cleans the offices.
The lesson is that companies do not pay nearly as much attention to protecting competitively sensitive information from outsiders as they think. While they may have sophisticated systems protecting their computers from hackers, they are not protecting themselves by alerting their employees that the employees can be the target of efforts to collect competitively sensitive, or potentially destructive, information.
While the Defcon contest was aimed at entertaining those involved with computer security, its lesson is a broader one. The same willingness of employees to talk, to help, even if the outsiders are not trying to “con” them, as at the Defcon meeting, makes them vulnerable to legal and ethical elicitation efforts by competitive intelligence professionals.
To put it bluntly, you do not have to con someone or lie to them to get competitively sensitive information. What effective elicitation does is to act like judo, exploiting the strengths of a target. For example, if the target company’s strength lies in customer service, a competitive intelligence professional may simply make a call to customer service.
In one case, our firm was working with a client that was trying to find out when a new food product was going to be introduced on a national basis, a so-called “rollout”. After some research, we had a pretty good idea of what was going to happen and how likely it was that the rollout would be completed by year-end, but we wanted to make sure. So I called the toll-free customer service number for the food company, and just asked when the new product would be available in Pennsylvania, where I live. The customer assistance contact stopped, did some quick checking, and helpfully came back, telling me that the product would be available by the fall because “that’s when the national rollout starts
No con, no games, but legal and ethical. Competitively sensitive information helpfully disclosed.