We’ve become used to news reports of companies and government agencies being breached by anonymous foreign hackers. But most people were shocked to learn that employees of the St. Louis Cardinals baseball team allegedly compromised the secret database of the Houston Astros, gaining access to scouting reports, player assessments and game strategies. With industrial espionage affecting “America’s Pastime,” we have to pay attention! As it turns out, there are some good takeaways here for everyone that has to supervise employees in the modern enterprise.
First, this story is a great example of how much value there is in information itself. Research proves what we suspect from looking at today’s businesses; increasingly they rely on “intangible” assets like data analytics for their competitive advantage. The most common form of protection for those assets isn’t traditional intellectual property like patents or copyrights, but trade secrets. The main reason is because the law is incredibly broad, protecting not just famous formulas like Coca-Cola’s, but any secret information that you wouldn’t want the competition to know, including strategic plans, customer preferences and unannounced products.
Second, this increasingly crucial business asset has never been more vulnerable or exposed to more threats. In part, this is because of the Internet and other technologies like smartphones and USB thumb drives that make it easier to take data where it’s not supposed to go. In part, it’s also about global competition, which leads many companies to partner with outsiders on the development of new products, increasing the risk of exposure. But one thing that hasn’t changed with the arrival of these new challenges: the single greatest threat to information security has always been, and remains, the company employee.
That’s not to say that workers are being recruited as industrial spies. Deliberate espionage — despite the headlines — is relatively uncommon within private companies. But carelessness isn’t, and that is the way that most proprietary information is lost. This is why the supervisor plays such a key role in protecting today’s most important corporate property. Good management can make all the difference. Here are some suggestions for specific steps that you can take to improve your own performance in this critical area.
If you’re going to help the company protect its sensitive data, you have to be familiar with what it is and why it’s valuable. Of course, focus on what your own department deals with, but also learn what’s important in other parts of the enterprise. Leaks don’t always happen locally inside an organization. Also, keep in mind that it’s the company’s secrets that have to be protected, not the skills and general information that employees need to do their job. If you teach someone how to be a more efficient programmer or analyst or salesperson, they are entitled to put that knowledge in their personal “tool kit” and take it with them to their next job. In managing their work, you should show that you know the difference; it will help them to respect what belongs to the company.
Managing trade secrets is just ordinary risk management applied to a specific subject. To help prevent loss, you need to know what the threats are. In some industries that are mainly customer-facing, you may have concerns about the sort of cyberhacking that has hit Target, Home Depot, Anthem and JP Morgan. The same kind of external threat looms for companies that perform a lot of research in new technologies or therapies; in fact, even the results of failed experiments can be useful to a competitor, to save them time and risk in pursuing their own development. Most businesses meet these external risks with sophisticated software tools for detecting and reacting to IT system breaches. (Even with the best tools, however, you still need good management of the people that operate them and act on their output.) But no matter how much damage might be done by outside entities, a lot more can be caused by those working for the organization. This is the “insider threat” that security experts agree is the most common source of information loss. In plain terms, this means that we all make mistakes from time to time, but carelessness when handling secret data can have catastrophic consequences. That’s because trade secrets are like a gas in a container: once you open the lid and it gets out, you can’t put it back. So while with external threats you can (and often must) rely on breach detection as much as breach prevention, where human behavior is concerned, prevention is paramount. Operationally, this means that your impact on corporate security can be measured by how well you supervise the people in your area, to keep them aware and informed.
Some people have speculated that the Cardinals/Astros hack happened because a former Cardinals executive who joined the Astros set up the same passwords to get system access at the new job as he had used at the old one. Most of us can identify with the inconvenience of having to remember a lot of passwords, but we also know that changing your passwords frequently is just smart practice. This is only one example of the many IT-related practices that, when followed regularly, can dramatically reduce risks. But since those practices are implemented (or not) by the people who work for you, it’s up to you to make sure that they are doing their best.
The same idea — that people management matters most — requires that you pay special attention to how you follow up on the security training that staff receive. Time and again, training is shown to be the most cost-effective way to prevent data loss, because it raises awareness and reduces careless behavior. But that works only if you reinforce the messages that workers have received by periodically measuring their compliance and understanding and finding ways to weave information security into your feedback sessions and performance reviews. And on a daily basis, set the example on compliance with company information policies, for example, by counseling with staff who leave sensitive information open in their work area. Your active demonstration that you care about these policies can do more than any refresher seminar.
It’s not just the loss of the company’s own secrets that keeps executives awake at night; it’s also the risk that its information will become infected with unwanted data from the outside. Many recruits mistakenly believe that they are doing their new employer a favor by keeping records from their previous jobs. So you have to make it clear from the initial interview that the company respects the intellectual property rights of others, and that unauthorized introduction of someone else’s secret information — whether physically or from memory — can result in termination. This especially applies to consultants who often promote their value based on what they know about the competition.
Nondisclosure agreements, or NDAs, are common, but people don’t pay enough attention to managing their obligations. For example, if you have a meeting where some sensitive company information is shared orally, a written confirmation has to be sent within a certain number of days. Keeping records of who gets access to what information will also help you avoid problems. Most importantly, watch out for the requirement to return or destroy shared information at the end of a project, since even keeping it stuffed in a cabinet can get you in trouble.
Once you learn that someone intends to go, the focus of your supervision has to shift. Have they been downloading an unusual amount of documents? Are they meeting with other employees and possibly recruiting for their next employer? If that happens, be prepared for the exit interview, in order to (a) learn where they are going to work and what they will be doing and (b) impress upon them the seriousness of their obligations not to use or disclose any company secrets.