What bad actors know about your business that you don't
We spent two hours researching a mid-sized UK professional services firm using only public information. By the end, we knew their reporting structure, which senior employees were likely to leave, which clients were dissatisfied, their full tech stack, and when their main contract was up for renewal. The firm had no idea any of this was accessible. Here is the complete tour.
Where the data lives
LinkedIn: org structure, team sizes, growth areas, who joined recently and who's been there long enough to be quietly frustrated. Companies House: revenue trajectory, ownership changes, director appointments and resignations, charges against assets, filing delays that signal internal difficulty. Glassdoor: management quality, culture temperature, specific complaints about leadership. Job postings: your current tech stack, the technology you're replacing, the departments you're expanding or contracting. Press coverage: strategy commitments you've made publicly. None of this requires hacking. It requires a browser.
Documented exposure
What two hours revealed about one consenting client
With the firm's consent, we identified in two hours: their primary cloud provider (from a job ad), their CRM and data warehouse (from LinkedIn skills endorsement patterns), three employees actively signalling they wanted to leave (from activity and tone shifts), a product launch that had failed quietly (a job ad that disappeared six weeks after posting), and the name of their largest client (from a director's congratulatory post).
How it's being used
This intelligence feeds two categories of attack. The first is targeted phishing: the email that knows your CEO's name, your CFO's reporting line, your current IT initiative, and your primary vendor is not from a sophisticated threat actor — it's from someone who spent 90 minutes on LinkedIn last Tuesday. The second is social engineering: the caller who references your current projects, your recent hires, and your internal terminology is not an insider. They researched you publicly.
The asymmetry
An attacker spends two hours gathering intelligence. The resulting attack — a targeted phishing campaign, an impersonation call, a supplier fraud — can cause months of operational and reputational damage. The asymmetry is structural: you cannot prevent the information from being public without removing your organisation from the internet. What you can change is what that information unlocks — and whether your verification processes are robust enough that intelligence alone doesn't grant access.
The key insight
Assume they already have it
Treat public intelligence about your organisation as already collected by motivated attackers. The question is not how to prevent the research — it's what they can do with it, and what process changes reduce the impact of that intelligence being used against you. Start from 'they know all of this' and work backwards to 'so what do we change?'
What to do
Three things, in order. First: run the research on yourself. Spend two hours doing exactly what we described, but on your own organisation. Document the three most concerning findings and address at least one of them. Second: train your people to recognise when a caller or emailer is demonstrating implausible insider knowledge. Knowing your CRM name does not make someone trustworthy — it makes them a better-prepared attacker. Third: change your verification protocols. Knowledge of internal details is not identity. Any contact that opens by demonstrating inside knowledge should trigger more scrutiny, not less.
Quarterly action
The public footprint audit
Once per quarter, spend two hours researching your own organisation as a hostile actor would. What does LinkedIn reveal about your team's morale? What does your jobs page reveal about your technology choices? What does your press coverage commit you to? Document the three most concerning findings. Fix at least one. Repeat in 90 days.