Telling employees to be cautious outside the office isn't enough, however. They also need to know how to handle people calling the company to request information, because a little bit of data can easily be leveraged. In fact, well-known hacker Kevin Mitnick gained the majority of his information not by hacking into corporate computer systems online but by using something called "social engineering"-getting a receptionist to give him the name of an employee in a key department who was out of the office, for example, then dropping that name to others in the department to manipulate source codes and other trade secrets over the phone. Mitnick's exploits are estimated to have cost millions of dollars. At Motorola, for instance, he gained privileged information about the company's StarTac cell phone from an employee. In the end, no firewall is strong enough to stop someone who knows how to use your employees to gain access to information he or she wants.
Khan sees hiring competent people as the key to protecting privileged information at Ultimus and staying ahead of the competition. The 6-year-old company has 50 employees, six of them on-the-go salespeople. Khan relies on the trust factor, believing his employees understand the limits on free speech outside the company walls. "We depend on our employees to use common sense. We want professional people who know what should not be addressed in public," he says. The company doesn't restrict employees' use of technology outside the office. "We don't have a formal training program to say, 'You should not do this,' " Khan says. "I trust the sales guys to do the right thing. Otherwise, why would I have them here? I actually think they worry more about [leaks] than I do."
Chris Penttila is a Washington, DC-based freelance journalist who covers workplace issues on her blog, Workplacediva.blogspot.com.