Stop Giving Away Your Secrets

July 1, 2004
Michael D. Lam

Pharmaceutical Executive

Pharmaceutical Executive, Pharmaceutical Executive-07-01-2004,

Big pharma companies aggressively gather sensitive intelligence about their competitors, but few, strangely, make a systematic effort to protect their own.

Security at work is tight. No one waltzes through the lobby without ID. Passwords and entry codes are required within. Firewalls ring the computer network. Transmissions are routinely encrypted. The grounds are guarded, the perimeter fenced. Surveillance cameras abound. The company's prized knowledge assets are beyond the reach of renegades and rivals, right?

Wrong. A simple phone call to an unsuspecting employee can yield information that a professional intelligence operative can join with other seemingly innocuous fragments to figure out your company's next move.

Don't doubt that competitors are trying to ferret out your plans. Over the last decade, nearly every top-tier pharma has created a competitive intelligence (CI) function to legally and ethically acquire strategically significant external market information. In fact, according to John McGonagle, managing partner of CI experts The Helicon Group, "CI is probably more widespread in pharma than in other industries."

So, what have pharma companies done to protect themselves from snoops? Practically nothing. "Fewer than five firms even think about throwing roadblocks in front of their competitors," says Neil Mahoney, president and principal of pharma CI specialists Global Business Management Concepts. For pharma companies to gain an edge, gathering intelligence is not enough. They must play defense too. As William DeGenaro, co-founder of The Centre for Operational Business Intelligence, likes to say, "You don't have to make it easy, you don't have to make it fast, and you certainly don't have to make it cheap for the other guy to find out what you're doing."

This article outlines what pharma companies can do to better shield their secrets from competitors.

Defensive Lapses

What does insufficient defensive or counterintelligence cost pharma? "Nobody really knows," says John Verna, executive managing director and principal at Citigate Global Intelligence & Security. But the American Society for Industrial Security reported that during a 12-month period in 2000-2001, US companies suffered losses of proprietary information and intellectual property worth between $53 billion and $59 billion. Some of it was pilfered. But much was published on corporate websites, overheard in an exhibit hall or hotel bar, or glimpsed over someone's shoulder on a laptop. Some simply walked out the door.

How do these modest lapses add up to billions of dollars lost? Say company A learns the timing and content of competitor B's new product launch by talking to physicians and monitoring its clinical programs. Company A runs Phase IV trials on its own product. When Company B's competitive product hits the market, Company A is ready to undercut its competitor's claims with a countermessage. According to Mahoney, "This hurts you by diminishing your initial foothold and lowering your acceleration curve. It's not just an initial six-month sales hit, it's a 10-year hit." And that can amount to many millions of dollars in lost revenue.

How often does this kind of thing happen? More than you might suspect. Verna's firm once had a pharma client that was convinced its competitors "ignored it most of the time." So Citigate, a business intelligence, business controls, and security consultancy, launched an investigation. It turned out that three of five competitors "didn't have much in the way of research capability-odd, considering the industry," Verna says. But they did have extremely active CI functions, including personnel "who did nothing but track our client: its marketing, public relations, manufacturing, customer buying trends, pricing-the whole nine yards-but especially research and science." As for the competitors' research capabilities, Verna says they "had a tiny 'R' and a nice big 'D' because CI gave them a good sense of the most fruitful avenues for product development." What was the client's response? "Those people spend a quarter to half a million dollars just on staff resources alone just to keep an eye on us? We ought to do more to protect what we have."

The question is: How?

Corporate Insecurity

CI professionals characterize corporate security as "gates, guards, guns, and dogs." They grant them full credit, McGonagle says, for "stopping the guys with the black hats, the burglars, hackers, and folks who want to firebomb your research center because you do animal testing." But corporate and computer security-and the legal department, which uses civil law to protect intellectual property-will not prevent valuable information from leaking out.

For one thing, according to Mark Robinson, president of CI consultants Competitive Strategies, security people "aren't trained in information protection." What's more, security officers know little or nothing about their companies' strategy, says Douglas Bernhardt, veteran CI professional and managing director of Geneva-based iMentor Management Consulting, so "they don't know what they're supposed to be protecting apart from the furniture."

But the real problem, according to Bernhardt, is that "the area of greatest vulnerability, the real danger" lies elsewhere. As CI consultant Leonard Fuld says, "More damage is done by a company being lax about how it handles information than by thieves." The reason? "The most value-added information one collects is from human sources," Bernhardt notes.

The Human Factor

Although corporations are occasional targets of both economic and industrial espionage, their Achilles' heel is inadvertent disclosure.

To be clear, CI, if practiced in accord with the code of ethics of the Society of Competitive Intelligence Professionals (SCIP), is principled and legal. It is surprising, though, what the law allows. For instance, it is not a crime to misrepresent yourself, says attorney R. Mark Halligan of Welsh & Katz. Use of a pretext-"I'm a...student, pollster, headhunter, market researcher, potential investor, journalist, customer, member of a user group"-violates no law. It is, however, a crime to falsely declare yourself to be someone in particular.

Here's an example of how CI works. Bernhardt ran a business out of Geneva that had some Big Pharma clients: "We had people collect information from human sources all day. We planned every project carefully, identified who the targets were, what we wanted from them. We had a methodology and people who were very good. So any target that talked to us was a sitting duck. We never lied. We never misrepresented ourselves. We never used false names. And we always told them who we were. But people like to talk about what they do, scientists and doctors in particular. It has nothing to do with their capability, intellect, or anything else. All the information we collected was from loyal employees who had no idea what they were giving us."

Murky Little World

How do CI professionals get "85 percent of Americans to cooperate and reveal information valuable to your firm," as CI guru John Nolan claims? They use elicitation techniques to subtly guide the conversation. Nolan's catalog of methods, by no means complete, includes: "provocative statements, disbelief, feigned naivete, criticism, encouraging snivelers and whiners to cry on our shoulders." He also makes the most of "the desire for recognition, tendencies toward one-upmanship, and natural tendencies to correct others when somebody makes a mistake."

Almost anyone can be a target. Robinson says, "Secretaries and new hires tend to be easy marks [because] the lower you are on the corporate totem pole, the more likely you are to talk to someone over the phone." Bernhardt says his firm "seldom targeted sales or marketing people because they're always suspicious. We'd go after scientists. Even people in finance. Bean counters. They know practically everything that's going on and hardly anyone ever talks to them."

McGonagle says, "The higher people are in the organization, the less they pay attention to being targeted." He attended a meeting of SCIP during which the chairman of Procter & Gamble talked about his company's reorganization then revealed unpublicized details about the shuffling of its CI unit. Everyone's jaw dropped, including the head of the man's CI unit sitting behind him. An acquaintance of McGonagle's leaned over and whispered, "John, does he know where he is?" McGonagle guesses that the chairman didn't understand that information common to him was sensitive to others.

Loose Lips

McGonagle, on the other hand, says pharma's "leaky channels are not R&D scientists and marketing managers but the people they deal with: third-party sales organizations that go out to doctors, HMOs, hospitals." Even confidentiality agreements, he says, "cannot stop people in contract research organizations from talking to each other." Friends, associates, and colleagues will sit around, he says, "at a meeting or bar and complain about what a pain in the neck Company A's clinical trials are compared to Company B's."

McGonagle says some pharma CI units are ruled by "codes of conduct that say if someone under an obligation of confidentiality starts revealing something clearly confidential, excuse yourself and leave the room." But information travels. "It goes to doctors and groups of people who have conditions potentially affected by the drug," he says. It gets posted on patient support group websites for all to see. McGonagle contends that companies with policies prohibiting the acquisition of intelligence from sources bound by confidentiality agreements "wind up harvesting the information anyway because it goes through so many hands that its confidentiality is destroyed."

Why do people talk? McGonagle says, "They don't think. They get flattered. And they want to help. They want to get the product through or approved or working right. They want to help the doctors, the hospital, their careers."

People are also often unaware of who they're talking to. McGonagle says, "People exchange information in environments where they're comfortable. Context makes people feel safe. Context makes them careless." For instance, people remote from the action may feel freer to talk. Bernhardt's staff would frequently call a far-flung office, say in Malaysia, to find out what was happening in Paris or New York.

CI isn't a matter of stealing secrets intact so much as projecting from limited facts. "If you had just one piece of a jigsaw puzzle," Bernhardt explains, "it would mean nothing to you, even if it was a picture of your wife or your dog." But that's what CI people do, he says: "They put puzzles together and they solve mysteries."

The Crown Jewel Defense

Pharma's "quandary," McGonagle says, is that "it's gone from not having to explain anything to actively talking to people-doctors, HMOs, interest groups-because they want to be cast in a good light." Mahoney agrees: "They want to excite the investment community by talking about their pipelines. They want to excite physicians about technologies working their way to market." But, he asks, "How do you not reveal too much too soon so that it can be used to your disadvantage?"

The first step is determining what needs to be safeguarded. Bernhardt believes it is important "to assess what it is you really need to protect. You can't protect everything, and you can't protect anything forever."

In general, the list will consist of confidential indicators of strategic intent, particularly time-sensitive plans. These may include customer lists, marketing plans, research results, intellectual property (patents, trademarks, copyrights, trade secrets), bidding strategies, M&A plans, profit margins, sales plans, recruiting strategies, new product introduction timetables, cost of sales, travel itineraries, negotiating strategies, labor costs, and software code.

But each company must compile its own roster. "You have to adopt what I call the crown jewel defense," Verna says. "Determine what's truly important to shareholders, to the company's reputation, what you don't want the outside world to know about: formulas, research directions, plans to build a new plant, a forthcoming public relations campaign." The process must be repeated periodically. "It's a dynamic situation," Verna says. "In six months, your PR campaign will be rolling out. You won't need to protect it anymore. You can redeploy assets to something more important."

Who decides what's important? Mahoney believes it shouldn't be one person: "Get the right group together-patent lawyers, senior marketing people, security, and others-to think about how to balance" various interests. Verna agrees: "You can't delegate it to an internal audit director or director of security. Those are control functions. This has to come from the top because it goes to the heart of the business. The CEO, COO, director of research, VP of marketing, VP of finance-that level. They need to understand business controls and counterintelligence and have a process in place, a very simple process where they get together and discuss business strategy-and a component of business strategy is identifying the crown jewels."

The next move is implementing what Michael Mineri, an attorney with Kroll Schiff & Associates, calls "the fundamental rule": Access to information should be strictly governed by the need to know. In practice, this means compartmentalization, parceling out different data, tasks, even project names to different teams. That way no single group knows enough to give it all away, wittingly or not. It also allows leaks to be traced to their source.

Cloak or Stagger

The final step is developing appropriate tactics or countermeasures. Top of the list is awareness training, making every employee conscious of what is sensitive so they can avoid revealing it. Further down is putting mechanisms in place to make it easier for them to do this: a screening center to shunt suspicious callers aside, a policy of asking vendors to sign confidentiality agreements, having brand managers "baby-sit" scientists at conferences so that they don't give away the store, scrubbing the company website so that job postings and press releases say no more than they must, having employees sign nondisclosure agreements, conducting exit interviews when workers leave, ensuring that publication and PR strategies complement counterintelligence requirements, and training employees (especially conference and trade show attendees) in the use of counterelicitation techniques.

Though Robinson calls for a full-blown information protection or cloaking program, the process itself is incremental. Seemingly small matters can amount to much. For example, Robinson says when he finds executive photos and bios on the web, it cuts his research time in half. The more he knows about a person-where they went to school, the associations they belong to-the better he can work them for information.

Given its importance, what are the prospects for counterintelligence in pharma? Bernhardt believes that the industry already understands competitive intelligence has a role. But counterintelligence is another story: "I'm not entirely certain that senior management understands the threats they're up against and what should be done to counter them."

Mahoney says defensive intelligence needn't be costly: "It's just changing priorities and making people pay attention." If you already have an offensive competitive intelligence function, he says, "you already have the skill sets and knowledge" to defend yourself.