By James Pooley, author of Secrets: Managing Information Assets in the Age of Cyberespionage
The Great Sony Hack of 2014 exposed a scary truth: information is now the currency of the 21st Century, and cyberthieves are just acting like bank robbers, going where the data is. But hold that thought while considering another news story from this summer, the hacking of the Houston Astros internal database, allegedly by St. Louis Cardinals employees. With cyberespionage infecting the Nation’s Pastime, we now can be sure that every company in every industry is vulnerable.
Trade secrets are not just about protecting inventions (although an increasing majority of research-based companies choose that method over patents), but cover just about any information you wouldn’t want the competition to know. In this sense, secrecy has always been important in the entertainment industry, where concepts, strategies, scripts and projects have long been protected by nondisclosure agreements. In fact, for this industry information is the primary asset base. But if you have the feeling that it’s become harder these days to keep a secret, well, you’re right.
In part this is about the breathtaking advances in computer technologies that not only have made business more productive (think communications, production and special effects), but have also made data theft easier, cheaper and harder to detect. And these same technologies, in the form of the Internet, smartphones and flash drives, are in the hands of employees who come and go more frequently and so have a diminishing sense of loyalty. More than that, many of them are dedicated members of the Facebook Generation, who have been trained by social media to share everything about themselves. When your employees spend their evenings engaged in frantic self-revelation to the world, how can you expect them to come in the next morning and behave with restrained discretion?
You can protect your information assets to a large extent with software tools that will detect a Sony-like hack from the outside, or unusual inside behavior like massive copying of files, usually giving you time to assess and contain the problem. But this is not just an IT issue, and it requires a more comprehensive management approach. Here are some suggestions to consider.
Know what you have. What kind of internal information do you want to keep confidential, and why? Identify, at least by category, the most valuable and vulnerable data. Then apply a risk management analysis that matches the threats against value of the data and cost of mitigation measures. Be sure to include a variety of management stakeholders in the process, not just IT. And don’t neglect some low-tech measures, like setting rules on what kind of information to keep out of emails.
Use smart technical tools. Accept today’s reality that the barbarians are already inside the gate. While protecting the perimeter of your information castle remains important, be sure to deploy some of the latest tools that analyze what’s going on with your database in real time and raise flags when there’s a problem, so you can implement your response plan.
Hire cautiously. Protecting the integrity of your information is not just about preventing loss. It’s also about avoiding contamination by confidential information that you don’t want. The most common sources are new employees and consultants, who often mistakenly think they’re doing you a favor by bringing over their best work from their previous employer. Make sure they know that’s unacceptable.
Establish clear policies and train regularly. Most information loss happens through carelessness. That means that the most cost-effective way to prevent it lies in training your workers. The process begins with setting clear and firm rules, including social media use and ownership. (Unless you specify otherwise, your employees can take their accounts with them when they leave.) This has to be reinforced with an education program that is professional, continuous and varied. The Facebook Generation can learn to keep secrets, but they have to be constantly reminded that it’s an existential issue for the company, so their jobs depend on it.
Watch out for the departing employee. When one of your most trusted and knowledgeable employees announces she’s leaving, you can feel the panic setting in. Without an enforceable noncompete agreement, you can still claim your trade secret rights, but you can’t stop her from taking her improved skill set to a competitor. To make sure your rights are respected, insist on a thorough exit interview, finding out information about her new job and getting the message across that you are serious about ensuring that your confidential information remains that way. Follow up with a warning letter to the new employer.
Manage your NDAs. Nondisclosure agreements have become so commonplace that many managers see them as forms, somewhere between inconsequential and annoying. In fact, they can expose your organization to serious liability if someone gets inappropriate access, or if information is leaked or used in the wrong way. And if you have entrusted your information to someone else, that trust has to be carefully managed to reduce the risk of inadvertent loss. The best approach is to centralize this function, and have one executive in charge of managing negotiation and tracking compliance.
Collaborate carefully. It’s a major paradox of the information economy that a company’s most valuable assets are supposed to be held as secrets, but at the same time it is expected to share them in a network of often shallow and fleeting collaborations with partners. Of course, partnering is nothing new for the entertainment industry, but today’s partners are often found in countries where the laws or culture don’t provide strong support for intellectual property rights. That puts a premium on self-help. Choose partners with care, specify security measures in the contract, include effective enforcement measures, and closely manage information cleanup when the deal is done.
Pay attention to governance. If your most important assets consist of information, then a primary task of management at the highest levels includes assuring its proper care and sensible exploitation. In the modern enterprise, information security has become a board level concern, with compliance programs fashioned to ensure awareness and engagement by executives. When your data systems are compromised – and it’s a question of when, not if – you can’t afford not to be ready with a thorough response plan. As recent experience shows, senior executives will be held accountable for failures to anticipate and prepare.
Silicon Valley lawyer James Pooley is the author of Secrets: Managing Information Assets in the Age of Cyberespionage. He provides international strategic and management advice in patent and trade secret matters, performs pre-litigation investigation and analysis, and consults on information security programs.
The Cynsiders column is a platform for industry leaders to reach out to colleagues, followers, and the public at large. In their own words and in targeted Q&As, columnists address breaking news, issues of the day, and the larger changes going on in the ever-evolving world of television, video and digital. Cynsiders columns live on Cynopsis’ main page and are promoted across all daily newsletters. We welcome readers’ comments, queries, and column ideas at RDawn (@) cynopsis.com