What do Bradley Manning and Edward Snowden have in common?
Each of them was a trusted employee or consultant with access to confidential information that was considered dangerous to the United States if compromised or leaked.
Manning was a decorated soldier in the U.S. Army who was arrested in May 2010 in Iraq on suspicion of having passed classified materials to the website WikiLeaks. Snowden, a former defense contractor, blew the whistle on the National Security Agency’s massive domestic surveillance program.
I won’t judge what they did. Instead, I’ll discuss how small and large businesses are affected when their employees and consultants have access to potentially harmful confidential information.
If the information falls into the hands of unscrupulous competitors, a business could easily be undermined, hurt or devastated.
Are you at risk?
Consider the types of information that your employees or consultants have access to: customer lists, pricing, proprietary knowledge, operational knowledge, research and development information, strategic knowledge and gross profit margins. Also, some have access to a detailed analysis of your company’s strengths, weaknesses, opportunities and threats.
It isn’t unusual for a salesperson changing companies to raise the specter that he or she has access to the former employer’s customer list.
What should the new company do? It should reaffirm the corporate values and not accept the information.
The underlying issue is that any employees who leave a company, intentionally or unintentionally, take with them two types of information: public and private.
The manner in which they left their jobs will dictate how they use private information. If someone left on good terms, then they aren’t as likely to pass on private proprietary information to their new employers.
A person who left for questionable reasons is more willing to consider using proprietary information inappropriately. So what’s their new employer’s future risk? Remember that the most cited reason for leaving an employer is a bad boss. That’s another reason why supervisory training is essential.
This example played out in real life with Brett Favre and the fear that he would play for another NFC North team. Would his knowledge of the Packers’ offensive and defensive schemes give another team an advantage?
Another problem is confidential information, like customer lists, that are on employees’ devices such as mobile phones, laptop computers or tablets. Many employees blend their personal and business lives. When someone quits, he might ask for his laptop computer or phone as part of a severance agreement. You need to know what company information is on those devices.
How to protect your company
How can we protect our businesses from intentional and unintentional corporate espionage?
First, the company must establish values and principles that define appropriate behavior regarding confidential information such as personnel, technologies, customers and suppliers. Once values and policies have been established, management must support, review and enforce them.
Second, make sure the hiring process emphasizes how employees must handle confidential information. Determine the candidate’s ability to maintain confidentiality. How? By asking tough questions during the interview and doing thorough background checks.
After the employee is hired, continue training and explaining your policies and procedures regarding confidential information. The role of the CEO and senior management can’t be overstated.
The CEO, on a regular basis, should highlight unacceptable public behavior and emphasize that it won’t be tolerated. The Snowden/Manning incidents provide excellent examples that illustrate confidentiality expectations for all employees. At a minimum, these messages must come from the CEO at last once a year.
The best policies and procedures
To be effective, policies and procedures must:
- Reinforce acceptable behavior.
- Create a monitoring process to detect breaches in confidential information.
- Create an audit process to determine whether existing rules are being followed.
You must assess the nature of confidential information that is maintained and the potential for abuse. Both Snowden and Manning required technological tools and technological skills. You must understand the devices your employees are using, and how they can use them to access confidential information.
To ensure your computer systems are safeguarded, consider contracting with an IT security professional who can review the systems and tell you exactly where you need improvement. The review can include connectivity protocols, security levels, software detection tools, detachable drives and remote drives.
In addition to electronic access to your systems, you also must be aware of people who have physical access. The ability to take pictures of processes, documents and employees has changed dramatically. You must restrict access to your plant and offices.
Finally, it’s important to establish policies and procedures that address disposal of equipment like computers, tablets, hard disk drives and flash drives. Since we can’t see the digital information, it’s easy to discard hardware and not realize what we’re actually tossing out.
All businesses are at risk. Some are just more prepared than others.
Jim Lindell is the president of Thorsten Consulting Group Inc., a Wisconsin-based provider of strategic and financial consulting, professional speaking, training and executive coaching. He has worked with a variety of industries including manufacturing, health care, nonprofit, distribution and food processing and chairs two groups for TEC Wisconsin.
