Other methods that employees can use to leak confidential information is by using communication channels that are not monitored by their employer. Instant messaging, personal cell phones and Web-based e-mail, such as Hotmail, Gmail and Yahoo Mail, can be used to bypass the monitoring of corporate phone and e-mail accounts. Organizations should seriously think twice about providing consumer-grade instant messaging programs on their systems. Because they do not log their communications and are not monitored by the employer, why would they be used? Most business professionals have cell phones, home phones and office phones with voice mail capabilities. In addition, they generally have at least one e-mail account. Why would they need to use instant messaging?
Another way employees can disseminate information is through the creation of blogs. A blog, or Web diary, can be created in a matter of minutes, requires no technical skill or training and costs nothing to create. An employee can easily post proprietary information on a blog simply as a lark, “Can you believe my company is about to do this…?” or as a means to get even for some real or imagined slight, “My company treats me like dirt, well I can’t believe it, after all I just developed this new…!” Posting the announcement of new products with associated pictures prior to the official release and announcement can cause havoc for a business.
While many security professionals will look for technical solutions to protect proprietary data, many significant sources of data loss have more to do with human nature than with technology.
As an example, one of the best brainstorming tools for an organization is a white board in a conference room. Diagramming business plans, expansion ideas and network topology can help visualize problems or challenges so that they can be easily resolved. And if something spectacular is developed on the white board, the most common method of keeping the idea from being destroyed is to simply write in big bold letters “Do Not Erase!!” The cause for a data leak in this scenario is when the white board is facing a wall of the conference room that is glass from floor to ceiling. Anyone walking by can now see this information and will know it is important. Vendors, consultants, business associates and guests can easily collect the information from the white board by memorizing key points, quickly jotting notes or taking pictures with a cell phone. In my opinion, writing “Do Not Erase” equates to “Please Steal This Information.”
Another common source of data leakage is the media interview. While most business professionals will look on the media interview as a source of free advertising (unless they are being interviewed about a product failure or similar topic), they fail to recognize that good journalists are actually good investigators. Through training and experience, they have learned how to get right to the heart of a topic. And when being interviewed, people are inclined to be helpful and will offer up information voluntarily. This can lead to leaks about upcoming product launches, mergers and acquisitions, layoffs, etc.
Comments about confidential information can alert a competitor to a market segment they had overlooked, a new service offering they had missed or an opportunity to undermine a proposed merger or acquisition. Comments about poor performance, issues or challenges can cause panic among employees and investors.
Regardless how intelligent the company representative may be, the journalist has more experience participating in interviews. It is important to remember that there is no such thing as “off the record.” An “off the record” comment can simply be attributed to an “unnamed source” or an “anonymous source.” And stating that certain topics are off limits does not mean that the journalist will not ask about those topics anyway.
Several years ago I had the good fortune to be interviewed by CNN. Prior to the interview, I stated that there was one topic I would not discuss. During the two hour interview I was asked about the “forbidden” topic six times. And each time it was presented with a slightly different spin or angle. For this reason, it is recommended that whoever is designated as a media spokesperson undergo media training prior to an interview in order to understand the process and be prepared for tough questions.
A situation that provides numerous opportunities for data leakage is at trade shows and conferences. Presenters will often include confidential information in their slides and handouts in an effort to appear knowledgeable and helpful. Sharing information that few others know gives one a sense of empowerment, “I know something you don’t know!” But it is also a way to provide an advantage to competitors.