News
Patrick Keddy, SVP, Iron Mountain Europe: Accidental Espionage
September 2012 by Patrick Keddy, SVP, Iron Mountain Europe
Corporate espionage is a term that conjures up a world of high-tech gadgets, of intelligence agents in trench coats and of organised criminal gangs. A world far removed from every-day life at the office – or is it? In its simplest terms, corporate, or industrial, espionage is defined as the unethical or illegal gathering of information about an organisation. Companies today are engaged in an on-going war against malicious outsiders intent on accessing their information. Organisations invest heavily in IT to protect their assets, building a digital fortresses around their data. In 2011, for example, governments, industry and ordinary computer users worldwide spent an estimated £65 billion dealing with the external threat. A figure that is expected to double in five years. Yet, as defined, corporate espionage covers a broad range of activity, not all of it obviously criminal nor necessarily malicious. There are many kinds of information and many ways of obtaining it. With the responsibility of for information management falling so often into the remit of the IT departments, the money and the attention is directed at shoring up the IT systems. In consequence, companies often ignore the risk presented by paper and can lose sight of the serious threat posed, often without intention, by their employees.
A recent Iron Mountain study revealed that office workers often form their own opinion as to what they can and cannot do with their employers’ confidential and sensitive information. In the absence of a well-communicated policy, employees will develop their own rules to govern what is acceptable. The survey results regarding access to competitor information were particularly interesting.
Traditionally, consideration of the role the insider might play in corporate espionage has highlighted employees who take information out of a business, rather than those who bring information in. For example, Securelist has drawn up a list of ‘insider’ profiles to help companies recognise and understand the high-risk groups. This list includes: “the careless insider” – the most common type, defined as a non-managerial employee who leaks information unintentionally; “the naïve insider” – vulnerable to unscrupulous ‘market research’ or other confidence trick activity; and those who leak information maliciously, including “the saboteur” – often a disgruntled employee who feels passed over, and “the disloyal insider” – generally someone about to leave the company.
It is vital that corporate information management policies address each of these risk categories, but what, if anything, should they do about employees who bring confidential information in? The recent Iron Mountain study revealed that over half (53 per cent) of those surveyed – 50 per cent of those in the UK – would jump at the chance to share such information with their current employer.
The responses received suggest that many of these people would be surprised to find themselves accused of dishonourable behaviour. Furthermore, many would place the responsibility for the breach with the company careless enough to leave their confidential information accessible in the first place. The Iron Mountain survey asked office workers across Europe what they would do if they had the chance to discover confidential information about a rival company.
Our study, which included four European countries, uncovered some interesting national variations. Over two-thirds (69 per cent) of employees in France, for example, would seize the chance to discover confidential information, compared to 57 per cent for Spain, 50 per cent for the UK and just 33 per cent for Germany. Officer workers in Germany were also the most reluctant to share their unexpected insight, with just under a third (32 per cent) saying they would do so, compared to 51 per cent for the UK, 61 per cent for France and 63 per cent for Spain.
When compared against some of the other survey results, a very interesting pattern begins to emerge. The findings suggest a direct correlation between employee behaviour and the existence and communication of corporate guidelines. For example, respondents from Germany were by far the most likely to say it was always made clear when their own company information was confidential (67 per cent of employees, compared to 56 per cent for the UK and Spain and just 49 per cent for France), and an overwhelming 80 per cent said they were aware of company guidelines about what information could or could not be removed from the office, falling to 66 per cent for the UK and just over half of respondents in France and Spain (57 and 56 per cent.)
There is an important message here: measures put in place to protect sensitive and confidential information from leaking out of the company also appear to foster a code of conduct that employees apply to information belonging to other organisations.
The line between ethical/unethical behaviour is and will remain a blurred one. Curiosity is an innate human quality that at its best drives creativity and motivation. A fascination with competitor secrets can be a mark of people’s loyalty towards their own employer and interest in their industry sector. It can be difficult to avoid glancing at the slides someone who works for a rival firm is reviewing on the train; or to ignore a discussion between competitor employees in the queue for coffee at a conference. But most of us would draw the line at breaking and entering a company’s premises in order to deliberately remove or copy confidential information. Between these two extremes there is a very wide field of grey where people are led by their personal moral code. Good information management guidelines seem to help employees to define this code.
In other words, the most effective information management guidelines are not just those that physically protect information by controlling its storage, distribution, access, security and destruction; or even those that best educate employees in how information can inadvertently be revealed. They are those that encourage employees to feel a sense of pride in, personal ownership of, and responsibility for the company’s information.
