Accidental espionage

 from SC Magazine, UK, Secure Business Intelligence;  Patrick Keddy  August 15, 2012

Corporate espionage is a term that conjures up a world of high-tech gadgets, intelligence agents in trench coats and organised criminal gangs.

This is a world far removed from everyday life at the office – or is it? Companies today are spending an estimated £65 billion dealing with an on-going war against malicious outsiders, intent on accessing their information.

However, corporate espionage covers a broad range of activity, not all of it obviously criminal or malicious and there are many kinds of information and many ways of obtaining it. With money and attention being directed at shoring up IT systems, companies often ignore the risk presented by paper and can lose sight of the serious threat posed, often without intention, by their employees.

A recent Iron Mountain study revealed that office workers often form their own opinion as to what they can and cannot do with their employers’ confidential and sensitive information. It found that one in three (32 per cent) employees were found to have taken or forwarded confidential information out of the office.

However it is when people change jobs that highly sensitive information is particularly vulnerable. More than half of European office workers who take information from their current employer when they switch jobs opt for confidential customer or client databases, despite data protection laws forbidding them to do so. Employees were found to leave armed with a range of information, including presentations, company proposals, strategic plans and product/service roadmaps.

Traditionally, consideration of the role the insider might play in corporate espionage has highlighted employees who take information out of a business. Securelist has drawn up a list of ‘insider’ profiles to help companies recognise and understand high-risk groups.

This includes:

• ‘The careless insider’ –defined as a non-managerial employee who leaks information unintentionally

• ‘The naïve insider’ – vulnerable to unscrupulous ‘market research’ or other confidence trick activity and those who leak information maliciously

• ‘The saboteur’ – often a disgruntled employee who feels passed over

• ‘The disloyal insider’ – generally someone about to leave the company.

It is vital that corporate information management policies address these risk categories, but what, if anything, should they do about employees who bring confidential information in? The recent Iron Mountain study revealed that over half (53 per cent) of those surveyed would jump at the chance to share such information with their current employer.

The survey also asked office workers across Europe what they would do if they had the chance to discover confidential information about a rival company, and uncovered some interesting national variations. Over two-thirds (69 per cent) of employees in France would seize the chance to discover confidential information, compared with 57 per cent for Spain, 50 per cent for the UK and just 33 per cent for Germany.

Office workers in Germany were also the most reluctant to share their insight, with just under a third (32 per cent) saying they would do so, compared with 51 per cent for the UK, 61 per cent for France and 63 per cent for Spain.

When compared against some of the other survey results, an interesting pattern emerges. The findings suggest a direct correlation between employee behaviour and the existence and communication of corporate guidelines.

For example, respondents from Germany were the most likely to say it was always made clear when their own company information was confidential (67 per cent of employees, compared with 56 per cent for the UK and Spain and just 49 per cent for France), and 80 per cent said they were aware of company guidelines about what information could or could not be removed from the office, falling to 66 per cent for the UK and just over half of respondents in France and Spain (57 and 56 per cent respectively.)

The message? Measures put in place to protect confidential information from leaking out of the company also appear to foster a code of conduct that employees apply to information belonging to other organisations.

The line between ethical/unethical behaviour will remain a blurred one. A fascination with competitor secrets can be a mark of people’s loyalty towards their own employer and interest in their industry sector. It can be difficult to avoid glancing at the slides someone who works for a rival firm is reviewing on the train, or to ignore a discussion between competitor employees in the queue for coffee at a conference.

Yet most of us would draw the line at breaking and entering a company’s premises to deliberately remove or copy confidential information. Between these two extremes there is a grey area where people are led by their personal moral code.

In other words, the most effective information management guidelines are not just those that protect information by controlling its storage, distribution, access, security and destruction; or even those that best educate employees in how information can inadvertently be revealed.

They are those that encourage employees to feel a sense of pride in, personal ownership of, and responsibility for the company’s information.