Wander into any public space, and you're sure to see people taking care of business. Whether it's waiting for a flight, eating lunch or standing in line for a latte, employees are working on the run. It's a common sight in today's fast-paced business world, no matter where you are.
But are employees and CEOs alike aware of the dangers of divulging private company information in public spaces, especially in a burgeoning wireless culture that lets us work from anywhere with increasing ease? While technology makes employees more efficient, it also creates new ways for them-whether it's via a cell phone or over a laptop with print in screaming 20-point type-to unintentionally divulge sales figures, the details of a difficult client meeting or even product specs and trade secrets.
If you think that not being a Fortune 500 or Nasdaq company lets you off the hook, think again, says Naomi Fine, president of San Leandro, California-based Pro-Tec Data, which helps companies develop strategies for protecting their intellectual property. According to Fine, "The risk can be larger for small companies because one loose lip can sink the whole company."
Nondisclosure Is Not Enough
Businesses of all sizes and in all industries should have reason to worry because every company has information that differentiates it in the marketplace, that provides not only a competitive advantage, but other benefits, too. A company's internal knowledge can mean the difference in whether its products sell, whether it gets a reputation for being innovative and whether it gains respect. It can also impact the bottom line: A 1998 American Society for Industrial Security and PricewaterhouseCoopers joint study estimates companies suffered $45 billion in losses over a 17-month period as a result of privileged information leaving the company walls. The survey also concluded that companies see employees as the main threat to their proprietary information.
Privileged information is compromised every day while doing business. It's virtually unavoidable. To combat the potential damage, many companies require employees to sign "nondisclosure" agreements, or NDAs, which limit employees from disclosing to third parties information that isn't already in the public domain. But that falls short, especially when you factor in human nature and modern technology, according to intellectual property law expert Michael Epstein, a partner with New York City-based law firm Weil, Gotshal & Manges LLP. "A nondisclosure agreement isn't enough. You have to sit down and say, 'Here's how I want you to use technology in public places,' " he says. Plus, Fine says, while NDAs require employees to keep quiet, they often don't tell employees how to make it happen, such as explaining how they should conduct conversations or offering guidelines for the proper use of laptops and cell phones outside the office.
There are legal reasons to encourage employees to temper what they say. The only way for companies to establish intellectual property rights, or legal ownership of their ideas, is to show that people within take reasonable steps to protect their proprietary knowledge. If a competitor overhears your employees talking openly in detail about product specs and then uses your ideas in its own products, you may not have a legal case. Your competitor can argue that you weren't protecting your knowledge-it was freely revealed in the public domain.
Rashid Khan, CEO and president of Cary, North Carolina-based Internet firm Ultimus Inc., remembers a time when he and two co-workers had a meeting scheduled with a large client and were eating breakfast in a hotel the day of the meeting. A group of businesspeople came in and sat at a nearby table. Khan and his co-workers suddenly grew quiet to listen as the nearby group's conversation turned toward shop talk. "It was the sales manager and team from our main competitor," says Khan, 47. "They were in town to make a presentation to the same company that day." Within a few minutes, Khan's group was privy to the competitor's strategy.
Employees who fly the "nerd bird," any regular flight between San Jose and such high-tech hubs as Austin, are noticeably quieter these days. "Companies are actively telling employees not to do any work while they're on an airplane. It's just too easy for people to overhear and see things," Epstein says. "Companies have to be extraordinarily vigilant."
Rick Malone, CEO of Broomfield, Colorado-based Kiosk Information Systems, is one entre-preneur with concerns about information leaks. His 7-year-old company makes electronic public information kiosks for such clients as IBM and Disney, and Malone wants to protect his contracts as well as information about his clients' computer systems. The company did $7 million in sales in 1999 and projects between $12 million and $15 million in 2000. "Nondisclosure is critical in our business," says Malone, 43, who has made it clear to his 55 employees that he expects them to stay tight-lipped in public places and be careful about how they use technology. He's taking a twofold approach, talking to every employee about his expectations of proprietary privacy, then having them each sign a nondisclosure agreement that explains the information not to be discussed or displayed in public.
The problem is, it doesn't take much for people to start talking about what they do. For most of us, as soon as we relax, all bets are off. "A general conversation can quickly become specific to a company and its clients, especially if someone knows how to steer a conversation," says Seena Sharp, a Hermosa Beach, California, competitive intelligence expert and president of Sharp Market Intelligence, a market research company.
Malone recalls one incident where a client called him with concerns that a Kiosk Information Systems salesperson might have been unintentionally leaking too much information in public. Malone explained the situation to the employee. "It was inadvertent on the employee's part. It's really easy for salespeople to lose awareness of confidential information when they deal with it every day," he says, adding that his sales employees took note of it and adjusted their habits.
Telling employees to be cautious outside the office isn't enough, however. They also need to know how to handle people calling the company to request information, because a little bit of data can easily be leveraged. In fact, well-known hacker Kevin Mitnick gained the majority of his information not by hacking into corporate computer systems online but by using something called "social engineering"-getting a receptionist to give him the name of an employee in a key department who was out of the office, for example, then dropping that name to others in the department to manipulate source codes and other trade secrets over the phone. Mitnick's exploits are estimated to have cost millions of dollars. At Motorola, for instance, he gained privileged information about the company's StarTac cell phone from an employee. In the end, no firewall is strong enough to stop someone who knows how to use your employees to gain access to information he or she wants.
Khan sees hiring competent people as the key to protecting privileged information at Ultimus and staying ahead of the competition. The 6-year-old company has 50 employees, six of them on-the-go salespeople. Khan relies on the trust factor, believing his employees understand the limits on free speech outside the company walls. "We depend on our employees to use common sense. We want professional people who know what should not be addressed in public," he says. The company doesn't restrict employees' use of technology outside the office. "We don't have a formal training program to say, 'You should not do this,' " Khan says. "I trust the sales guys to do the right thing. Otherwise, why would I have them here? I actually think they worry more about [leaks] than I do."
But relying on your employees' common sense is risky business. According to experts, to protect your company's private information, you should create a written policy that outlines what you're protecting and describes what you expect from employees when it comes to communication. Here are some other tips:
Educate and communicate. It all comes down to employee training. Explain to employees the boundaries on conversations in public spaces. If they use laptops, let them know what types of documents shouldn't be accessed outside the office. Communicate regularly with employees about the importance of protecting company information, and, more important, let them know what exactly needs to be kept confidential. Make it a part of day-to-day business. If you're in a sensitive meeting, let the people in the room know that the information shouldn't leave the room.
Do some role-playing. Pair employees up and present them with various situations, such as sitting in an airplane or a restaurant, and ask them to have a work-related conversation about a project, meeting or client while you listen in. This will give you an idea of what they're saying out in the field and will help clue them in to how easy it is to leak information.
Know how to direct callers. Employees should know how to handle callers requesting any type of proprietary information. Develop a strategy. Teaching an employee to say something as simple as "I'll have to have him get back to you about that" might just save your company from a devastating loss.
Cambridge, Massachusetts-based competitive intelligence firm Fuld
& Co. Inc., this site offers strategies and tools for
protecting data, links to other competitive intelligence Web sites,
a "Rate Your Own Security" test and more.|
www.scip.org: The Web site of The Society of Competitive Intelligence Professionals, an Alexandria, Virginia-based organization dedicated to corporate competitive intelligence, offers articles, security tips, conferences, and a database of experts and local chapters.
- Kiosk Information Systems, (303) 466-5471, www.kis-kiosk.com
- Pro-Tec Data, email@example.com, www.pro-tecdata.com
- Sharp Market Intelligence, (310) 379-5179, www.sharpmarketintel.com
- Ultimus Inc., firstname.lastname@example.org, www.workflowzone.com
- Weil, Gotshal & Manges LLP, (212) 310-8432, email@example.com