How to Conduct a Counterintelligence Audit - dummies

How to Conduct a Counterintelligence Audit

By James D. Underwood

When you want your competitive intelligence team to test just how secure your organization is, attack it by conducting a counterintelligence audit. Create a red team, a group of your own people assigned the task of acting like an outside aggressor to penetrate your security and reporting any areas of vulnerability. Here’s how:

  1. Assemble your red team, choosing people in the organization who are likely to be clever and persistent in finding and testing vulnerable areas.

    Consider including one or more individuals who have the technical savvy to test network security and dig up information about your organization online.

  2. Instruct the team to pretend it’s working for your biggest competitor and try to gather information from outside the physical perimeter of your organization.

    Here are some examples:

    • What can they see from the perimeter of your firm? Customer names on shipments? Customer pickups of product?

    • If you have a gated entrance, what information can they gather from watching the traffic in and out of your property?

    • What can they learn if they follow your company vehicles when they leave your property?

  3. Instruct the team to evaluate external access points or other entry modes that may allow unauthorized, undetected access to the property.

    In other words, the team needs to find out how easy it is for just anyone to walk in off the street and gain access to internal information or for people inside the company who don’t have security clearance to access areas that require such clearance.

  4. Instruct the team to conduct CI on your company to find out what information is publicly accessible and see if any sensitive information is already out there.

    Use the same techniques that the CI team uses to dig up intel on competitors. If sensitive information is being leaked, you may need to conduct an internal investigation to identify the source of the leaks and plug the holes.

  5. Challenge the team to dig up any potentially sensitive information it can find on your organization’s website and by searching the web.

    This step often reveals a critical need to de-thatch corporate websites of older presentations, white papers, and information brochures that can be accessed by using simple search algorithms in Google and other search engines.

  6. Instruct the team to examine all external touch points of your organization — investor relations, marketing, sales, engineers, and so on to identify any departments or individuals that are vulnerable to information leakage.

    For example, by design, industry user groups and trade associations are excellent for information exchange, but any employee who participates in these groups can become a source for leaks. They need to be advised on what to say and what’s strictly off limits. The same holds true for people in marketing and sales who attend trade shows.

After the team has wrapped up its work, debrief the team and create a detailed report of any security weaknesses. Present the report to the executive or department head who’s in charge of security.

The CI team should continue to monitor Slideshare, Twitter, Facebook, Pinterest, and other social sharing sites for presentations, pictures, and potentially revealing corporate information and work toward removing any such content from the web. Remember, if your CI team can find it, so can your competitors.