Protecting Information in Human Memory

Proprietary information exists in many forms, paper being one. Another huge category is electronic data, which includes data on hard drives, backup tapes, CDs and DVDs, and memory sticks — plus transmission data like local and satellite radio waves, network data packets and Internet data packets (including Voice over IP telephone data). One form that is very challenging from an information protection standpoint is human memory and its related form, conversational data transmission via air wave sound vibrations.

Generations of spy movies have dealt with eavesdropping themes. Literally, the “eaves drop” (an old form is also “eaves drip”) is a spot on which water drips from the eaves, which is the overhang at the lower edge of a roof. Originally, an eavesdropper is a person who stood on the eavesdrop in order to listen in on conversations inside a house.

Some security measures that commonly are used to protect information in human memory form are employment contracts, non-disclosure agreements and security awareness programs. However, stepping outside of the security, HR and Legal departments, one can find other organizational dynamics that can be highly effective in addressing some of the vulnerabilities that traditional measures do not fully address. The below answer to this column’s question is one example:

Q: How have the current economic conditions impacted your security risks and your security program?

A: A voluntary or involuntary departure of any technical, sales or marketing staff is always of concern, given that the information they hold would be of very high value to our competitors. If a disgruntled employee is involved, the vulnerability can be serious, as the employee can feel “justified” in taking actions that harm the company. If a reduction in workforce is mandated, the information risks can skyrocket.
Our company goes well beyond “enforcement” of contractual terms, which is a weak security stance. Of course IT actively monitors the use of USB drives and CD drives to identify copying policy violations, since blanket automatic restriction of copying for some positions conflicts with job requirements. But that does not cover what the employees have in their heads.

We are fortunate in that our senior executives are well known and highly thought of in our industry, and we have a company culture that results from the situation that our senior executives genuinely care about our people. That helps us bring valuable personnel into the company.

A tough situation is one that we currently face, where we have recently hired some top talent away from other jobs, and we now have to let them go due to board mandates for workforce reduction. Personal admiration and trust is what brought these individuals to our company. It would be bad business ethics as well as bad public relations to simply turn them out onto the street, having cost them their previous employment positions. The senior executives who brought them in would lose their trust — something that has been built over the years. The trust and standing of our senior people in the local community and in our industry is part of our corporate value, and is an asset to be protected.

The challenge is to comply with the current board mandate in such as way that we not only protect that asset (trust and confidence), but retain the ability to rehire the employee when circumstances improve, which they will sooner or later. I’ll explain how we address this security challenge strategically.

Our senior executives (marketing, engineering and sales) get on the telephone, and use their industry contacts to find new employment for our key people who will be let go. One security benefit is that by talking to the new employer, we can ensure that the new employer has terms in the employment contract that specifically cover not revealing information from our company. This is more proactive than most companies get, but that is a minor security measure. Helping the employees find a new job actually strengthens their trust and loyalty, and enhances our company reputation in spite of the negative circumstance. The strong personal and company loyalty engendered is the best security measure we have, as it is hard to consider any act against the people and company that are helping you.
Through this strategy to address the heightened risk, our security policy actually adds value to the company.

— Vice president,
high-tech manufacturer

New Question:
Q: Does your company have a security (or risk) council or committee that provides a means to develop and execute corporate security strategies such as the one above? If so, what is your role?

If you have experience that relates to this question, or have other convergence experience you want to share, e-mail your answer to me at [email protected] or call me at 949-831-6788. If you have a question you would like answered, I’d like to see it. We don’t need to reveal your name or company name in the column. I look forward to hearing from you!

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 18 years. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.