• PAGE ONE
• INDEX
• HOME

Busting the info thieves

David Price on why, and how, proprietary information should be protected

THEFT by pretext is often used to obtain information that would otherwise be secure. It often takes the form of visits by people purporting to be journalists to interview an expert on a subject which is not directly related to the true object of interest . A pretext visitor may simply steal information once he/she has gained access to the premises, while an interviewer may introduce seemingly innocuous questions which probe the nature of the company's commercially sensitive information such as research o r financial strengths and policies.

Alternatively, an ex-employee, or an ex-consultant, may discuss confidential information with old colleagues who are unaware that he has left the company. Consequently, when an employee's services are dispensed with, it is cleaner and safer that he or sh e go at once, with a financial settlement if necessary, to reduce the possibility of this type of fraudulent practice.

Moreover, once an employee has gone, it is important to inform other staff accordingly, as quickly as possible. They will find out soon enough in any case and, not only is it a security risk, it is also downright poor management communication to keep emp loyees in the dark over something as fundamental as this. And employees generally do not like being kept in the dark; it makes them feel like mushrooms.

Theft by headhunting

This is another risk concealed by seemingly innocent approaches. The practice usually follows the same sort of line; a headhunter rings a senior figure, often at borne in the evening or at the weekend, and suggests they meet to talk over a tempting offer from an anonymous company. The discussion inevitably covers a detailed description of the manager's current work, information which can often be extremely valuable to competitors.

Needless to say, the offer never materialises, nor does the manager ever discover the identity of the potential employer. Often, the headhunter vanishes without trace. This practice is quite common in high technology companies and those with a high degre e of research and development activity, such as pharmaceuticals and electronics, but it is also by no means unknown among advertising and public relations consultancies and financial institutions.

Alternatively, of course, the headhunter's approach is genuine and may result in a highly tempting offer from a major competitor. There is no law against this and the only real defence is to make sure that your staff are happy, fully occupied and amply r ewarded. Even with this set of factors, very few senior managers' egos do not respond to flattering approaches and it is prudent for the original employer to write the employment contract as tightly as possible if they want to make it difficult for the m anager to go.

Some companies pay so well and reward career progress with such fulfilling offers that staff find it very difficult to go elsewhere without taking a drop in salary. Others, such as airlines, reward so well through perks like free air travel, that only an other airline can afford to poach.

Information is a vital resource and must be protected commensurate with its importance. Apart from the obvious, it also includes raw data such as notes, printer ribbons, carbons, photocopies, and anything stored on computer disk, and may be classified as one or more of:

* Secret -- where the potential consequences of disclosure call for the highest level of protection;

* Proprietary -- where disclosure would be detrimental to the company's best interest; and

* Private -- where disclosure without authority would damage employee morale or administrative procedures.

Information required to establish the company's legal rights or for back-up purposes should be classified as vital together, if necessary, with its classification above.

For each category, the authority to classify, method of marking, determination and record of distribution, reproduction, transmission, filing, retention, protection, declassification, destruction, and action in case of loss or unauthorised disclosure, sh ould be specifically nominated.

Additionally, general security operating practices are the heart of any organisation's day-to-day security and common principles can be laid down which apply to virtually all companies.

Confidential reports must be controlled by being clearly marked with their classification, covertly marked to identify any unauthorised copies, properly bound to present conventional photocopying, copyrighted by marking a G and the company name on each p age, shrink wrapped after printing while awaiting collection to prevent unauthorised reading or copying, and returned to originators if unwanted. It is possible to print highly confidential reports on anti-copy paper, although the technology has some way to go before being foolproof and economical.

Circulation lists should be kept for future verification of unaccounted copies, and all reports should be recorded and catalogued by recipients' names with original copies periodically audited.

Mail is another area in which many companies do not operate strict enough security systems.

* Both incoming and outgoing mail needs to be verified and approved, although it is not necessary to examine all packages to deter theft and approaches from competitors.

* Sensitive outgoing mail should be approved by line managers and sealed and initialed before being sent.

* Non-sensitive packages should be sent unsealed and randomly examined in the mail room.

* Classified internal documents should be sent by courier to internal mail systems accompanied by receipts to be returned to senders. Unreturned receipts can then be queried within 24 hours to discover any irregularity.

* All incoming mail marked externally with warnings such as `Private and confidential', `addressee only' and so on should be passed to line managers for selective examination.

* Unmarked packages should be opened in the mail room by security staff and any suspicious by anyone at any time should be notified to security immediately. Letter and parcel bombs are sophisticated enough to cause considerable casualties.

* Internal mail distribution should avoid classified or sensitive mail being sent unsealed within the organisation.

* All mail room and courier staff must be subjected to pre-employment screening.

Photocopying is not always the boring clerical job that some might make it out to be. It gives scrupulous staff and industrial moles the ideal opportunity to record and remove information. Consequently, classified information should never be sent for pho tocopying by internal mail but personally delivered and, if necessary, photocopied by the manager responsible. Each copy document should be clearly numbered and assigned to identified recipients with an instruction that no further copying must take place . Proper binding will help to prevent this.

Photocopying areas should be organised so that each machine is near a shredder -- all bad copies should be immediately shredded and all photocopying operators should sign agreements not to read documents.

In terms of other office practices, all microfilm and microfiche waste should be destroyed under the control of the responsible manager.

All employees should be required to lock away confidential materials and information in secure containers, all sensitive telephone calls should be made on scrambler units and employees warned of the possibilities of crossed lines and cautioned against ta lking about confidential issues on an open line. Encrypted lines should be used for tele-conferencing, video-conferencing and confidential fax. E-mail should also be secured by restricting access to the approved user and using encrypted, leased lines.

Finally, it is important that the practices allow for induction security training for all employees and regular refresher briefing as appropriate. Security message stickers for equipment in daily use such as phones and computers can also help to create a subliminal sense of responsibility without appearing too propagandist. Security staff should give presentations in-house from time to time to warn about travel procedures and advice on sensible security precautions.

(Concluded)

(Edited extracts from Fraudbusting. Book courtesy: The British Council Library, Chennai.)