A report released by the National Counterintelligence Center (NACIC) indicates that the Internet is the fastest growing method used by foreign entities to gather intelligence about U.S. companies. While the report was largely concerned with questions about defense-related technology, it was not exclusively concerned with defense-related areas. Plus, your CI group (we assume you have one), and the CI groups of your adversaries (some of whom certainly have them), largely uses the same techniques as are used by spies to gather 95 percent of the information they need, so you need to pay attention.
What does this mean to your company? It means that if you have an Internet presence you are adding to your potential risk. As always, there needs to be some balance between your ego and marketing needs, and the need to protect your information. It means that there is a need for someone in your corporate OPSEC program to be making sure that information being released is not doing more harm than good.
Since OPSEC is most widely used within the government, horror stories are generally most available from this venue. One of our favorites was a military base that had their own Web site. Now, there is always some question as to why the military needs a Web site. It is, after all, unlikely that someone might have a war, and would not know with whom to start it if they could not find a DOD Web site…
In this particular case there was a map of the base. As you moved the cursor over the map, the latitude and longitude would be displayed. This would, of course, be a great convenience for someone wanting to bomb the base. Fortunately, nobody seemed inclined to do so, and nothing bad happened before that feature was removed.
While this is an extreme case, the fact remains that if your corporate OPSEC practitioners are being excluded, the Internet – your Web site, and the information you give out in response to Internet queries – is probably needlessly costing you money in lost intellectual property.
The moral of this is to make sure that your OPSEC team is not being hindered from looking at your Internet presence. This will make sure that your SOX reporting will not disclose embarrassingly preventable losses.