In the first part of this article (http://www.infosecnews.com/opinion/2002/01/30_03.htm), we identified the potential threats that aim to put your company in financial ruin and discussed who are the likely terrorists in economic warfare.
Our examination will conclude by illustrating a ten-step process to preventing and foiling an attack on your trade secrets and overall information security.
First let’s remind ourselves of the definition of economic warfare. An attempt to illegally obtain, corrupt, alter, destroy, or falsify intangible assets of a corporate entity, including but not limited to trade secrets, financial data, or client information, so as to profit from its misfortune is malevolent corporate espionage.
Almost like something out of the movie, The Score, all these threats of human intelligence are getting more and more intricate thanks to technological advances. Professional surveillance equipment available to the public can make a spy out of just about anyone. Pinhole cameras and listening devices are just two of these. During a physical infiltration of a firm’s infrastructure, the spy could strategically place a number of apparatuses able to record private conversations and videotape office or plant activity.
Technology or no technology; cunning criminal or bumbling criminal, what can you do to protect yourself against these threats of corporate espionage? Security consultants specializing in economic warfare suggest a ten-step information protection program to secure proprietary intangibles and trade secrets:
1. Establish and enforce security policies regarding proprietary information.
Identify what intellectual property and related documentation needs to be classified. Determine what can be appropriately disclosed to the public or individual solicitors. How and when will such information be disseminated whereby your company is at the least amount of risk? Also, clearly limit and define what circumstances permit a release of information to unclassified individuals.
2. Identify who needs to know
Which of your employees, contractors, or joint venture partners need to know about proprietary assets and trade secrets to conduct business with you? You need to ask why they need this information and how it will be used. Sensitize these parties to your expectations of security awareness and the appropriate professional conduct in handling classified information. Include your policies in the employee handbook. The smaller number of people who know about your most well kept secrets, the less danger you will be in.
3. Secure the human element
Train employees to be vigilant of suspicious behavior in and around the office. Make sure they are aware of not only their own conduct but anyone else doing business with or for the firm. Awareness of personal responsibilities in safeguarding information is crucial. Employees at all levels can help to foil potential plots of economic warfare. Preventing the voluntary or involuntary release of information under a human being’s control is essential to making your protection program successful.
4. Create confidentiality agreements
Even if you think that your employees, contractors, and joint venture partners have a firm understanding of your information protection protocols, protect yourself in writing. Employees who are on good terms with you at the beginning may comply with your every rule but once things go awry, they might change their minds. That is why is you must prohibit former employees from talking with competitors or anyone else about your trade secrets through a binding contract. Your agreement should include what specific categories of information you deem confidential. If possible, also include the estimated monetary value of those assets so that you can make civil claims in a court of law if the agreement is breached. While you want to show your employees that you trust them, protecting yourself for the worst-case scenario is even more important.
4. Control the flow of documentation
Regulate and account for all photocopies of classified documents. Keep written records and logs regarding photocopy activity. Ensure that they are not stored in public areas where unclassified individuals have potential access. Make sure that supervisory managers know when employees plan on making new copies of these documents.
5. Keep a single depository
Your most sensitive information needs to be kept in a safe or locked file cabinet with only a few employees having access to the key or pass code. Keeping documents in one place tightly controls access in an organized and safe fashion. Also, make sure that the people who are allowed access to classified documents return them promptly after completing use of them.
6. Shred obsolete and unneeded classified documents
Just because something is thrown in the trash and is on its way to the dump doesn’t mean that an information thief can’t get his or her hands on it. Outdated or obsolete confidential documents need to be treated seriously. Shred or thoroughly destroy such information even if you feel that the document’s contents no longer need to be classified as secret.
7. Institute physical security measures
The presence of physical security barriers like locked offices, guards, combination locks, and plain-view video cameras are great determents to information thieves, particularly insiders. Have your employees and visitors have ID badges that indicate they are permitted to be in classified areas. Use access readers and biometric devices at entry ways to read those badges and ensure their authenticity. Also, be aware of the proper disposal of trash and the threat of “dumpster divers.” This must be done even if you have effectively shredded all your unused proprietary documents.
8. Computer security
Make sure that your IT department installs firewalls and uses encryption keys. Only give out user names and passwords to cleared individuals. Have your employees report lost portable devices like company laptops and PDAs. Implement redundancies and offer electronic back-up systems, preferably off-site, for added protection. Also safeguard your software source code for databases and other electronic networks to make sure that hackers cannot overwrite it.
9. Update technology and data security protocols
If computer systems are not upgraded and slowly become obsolete, you are just making the job of information thieves all the more easier. Make sure that access controls, authentication, and encryption are being handled by state-of-the-art technology to reduce your risk of intrusion and data misuse. Improvements to both hardware and software are necessary to help discourage economic warriors.
10. Create strong internal policies
Strong internal policies for intellectual property are incredibly integral to keeping you safe from information thieves. In addition to instituting an information protection program, also consider having third party companies store your intellectual property for you as a means of added security. High tech and low tech solutions are both necessary to successfully deter perpetrators from targeting you as a victim of corporate espionage.
Jason B. Lee is chief investment officer of Lee & Co., an independent investment banking and private equity consulting firm based in Washington, DC. Lee specializes in two very unrelated areas of financial management: investment analysis and information security protection.