Does your Web site reveal too much?
September 28, 1999
by Gary H. Anthes
(IDG) -- Stealing your company's secrets could be like taking candy from a baby -- and perfectly legal. Indeed, you may have posted a virtual "kick me" sign on your digital derriere by telling your story just a little too thoroughly at your Web site.
The Internet has prompted many to see information as a free resource available to everyone, all the time; and it has allowed companies to blab and brag as never before. But often those companies don't stop to consider that it isn't just customers and job seekers who are surfing their sites.
"Companies give you information about their customers and case studies about their products. A good analyst can look at that and kind of reverse-engineer what the company is up to," says Robert Aaron, president of Aaron/Smith Associates Inc. in Atlanta and an expert on gathering competitive intelligence.
Web site development is usually driven by marketing people who are cheerleaders for the company and its products, says Ira Winkler, president of Internet Security Advisors Group in Severna Park, Md. "But they often are not aware of proprietary information issues, and they put out more information than they should."
Sometimes information intended primarily for employee use gets linked to a company's public Web site. For example, Winkler says, one company made so much information about its network architecture available on its site that it had essentially drawn a hacker's blueprint. Another put its entire employee directory online, a one-click shopping guide for headhunters. "When the security manager found out, he went through the roof," Winkler says.
Los Alamos National Laboratory, the nuclear weapons research center near Santa Fe, N.M., combines information for internal as well as external users at its Web site. For example, its Weapons Neutron Research Facility lists the numbers of employees' office and cellular phones.
Publishing employee phone lists facilitates "social engineering" -- essentially sweet-talking secrets out of employees -- says Larry Watson, program manager for the FBI's Awareness of National Security Issues and Response unit. Web developers get so enthused about Internet technology and its ability to help customers and employees that "security concepts often get overlooked," Watson says.
Even if a company doesn't name its employees at its Web site, it's fairly common to detail employee benefits. That makes it easier for competitors to steal a company's employees or outbid them in recruiting.
High-technology companies seem especially prone to this practice. For example, Adobe Systems Inc. in San Jose posts its employee benefits online, including deductibles for medical and dental insurance, payroll deductions for optional coverage and details about its sabbatical programs, 401(k) plan, profit sharing and employee stock purchase plans.
Biotechnology and pharmaceutical companies are often promiscuous with their corporate information as well, says John Quinn, managing director of Quinn International in Great Falls, Va. For example, Cambridge, Mass.-based Biogen Inc. has three years' worth of press releases at its Web site detailing changes among the ranks of senior employees, research and development partnerships with other companies, product development plans, the status of experimental drugs and plans to build a new research and development center. Its descriptions of open jobs detail the specific research projects and goals that go with each job. Biogen declined to be interviewed for this story.
Some companies put information on their Web sites that's better reserved for the employee intranet, says Leonard Fuld, president of Fuld & Co. Inc., a competitive intelligence consultancy in Cambridge, Mass. "Organization charts don't serve to move a sale or customer awareness ahead at all, but they can help [a competitor] understand the structure of a company, how its overhead costs are allocated and so on."
Du Pont Co. has an information-rich Web site that, for example, lists the names, addresses, telephone numbers and plant managers for manufacturers of some of its products. "If I wanted to make a similar product, it tells me who's capable of producing it, something that otherwise would have taken a long time to put together," Aaron says.
Michael Leach, manager of information security at Wilmington, Del.-based Du Pont, acknowledges that the chemical company has "erred occasionally" in putting too much information on its Web site. But he says that's less likely to happen now that Du Pont has secure extranets for customers, suppliers and business partners.
"Du Pont has 100 lines of business, and you have lots of opinions about what's confidential and what's not," Leach says. "Why would you post the names of your distributors? Isn't that helping the competition? Yes, but it's also helping our customers find the right person to buy from."
Du Pont's decisions about Web content are made by the individual business units -- "by the people who own the information and who are either going to get the benefit or suffer the pain," Leach says. Nevertheless, there are corporate guidelines for what kinds of information can be published on the Web, based on an information classification scheme Du Pont devised in 1928.
The Boeing Co., to support its program to attract women- and minority-owned suppliers, posts at its public Web site the names, telephone numbers, business units, locations and purchasing responsibilities of its buyers. It also shows who reports to each buyer and to whom each buyer reports. "You can go up and down the personnel chart and find out who knows about fuel injectors for jet engines," Aaron says. "If you were a headhunter, it would be a tremendous resource. It's an example of good intentions gone bad."
Aaron says a risk of putting sensitive information on the Web is that the old-fashioned human filters are missing. No longer does an industrial spy have to convince a person on the telephone of his need and right to know. Aaron advises putting only basic information online, followed by a telephone number, so callers who want more information can be screened or checked out.
Timothy Powell, managing director of T.W. Powell Co. in New York, lists a "dirty dozen" of pieces of information -- such as job openings and customer references -- that companies look for at their competitors' Web sites. But he says that doesn't mean this information should always be withheld. "They have great strategic value on the site," he says. "The idea is to weigh the benefits vs. the potential liabilities."
One way to do that is to have your own people role-play a competitor's intelligence function to see what they might glean from your information, Powell says.
Jack Buffington, director of e-business at Orion Auto in Englewood, Colo., says the inferences competitors can draw from online job postings are "a concern," but that won't deter the insurance company from the practice. He says there is so much sensitive information elsewhere on the Internet -- in places such as message boards that companies can't control -- that the content at most company sites isn't that interesting to rivals.
Orion's competitive edge stems from certain innovative business processes that are available to a network of independent agents via a password-protected extranet, according to Buffington. Orion's lawyers set confidentiality standards for Internet and extranet Web content, and those standards are enforced by a strategic communications person, he says.
Such standards are vital, Winkler agrees. He advises taking a conservative approach with a policy that says all information is banned from a Web site except that which is explicitly allowed, rather than one that allows everything except that which is explicitly banned. "Web content policy should be an extension of your standard information security policy," he says.
12 things rivals search for on your site
Source: T.W. Powell Company, New York
Tack this on to Web e-mail security -- attachments
RELATED IDG.net STORIES:
Is your Web storefront in the know?
Los Alamos National Laboratory
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.