The Hidden Risk Menacing Businesses

Often, we know the risks facing us. That piece of cake tempting you is full of calories, posing a risk to your weight. Those French fries put your cholesterol at risk. Even at work, we do, or should, recognize various risks – lights out in the parking garage, for example, put employees at risk when they leave after dark.

However, there are those hidden threats that may not ever cross our minds and yet, are no less dangerous or damaging.

The World Economic Forum has released their annual report on global risks. The report looks at various challenges facing society around the world. Some examples have been concerns about water shortages, famine, price collapse, weather, political instability and severe storms. The last two years, the report highlights the threat of economic disparity, leading to social unrest, or dystopia (as in the opposite of utopia).

It is not hard to imagine. There have been riots in countries like Greece, based on economic fears. Adding to the fuel are the constant media reports mentioning the “one-percent” or the wealthiest 1% of the world’s population.

Greek riots - news photo

Throughout history, revolutions have often been based on exactly that kind of wealth imbalance. The French Revolution of the 18^th Century is a classic example. There has been a breaking point, in which people oppressed have enough and step up to throw off the yoke and change their governments. Even the American Revolution was sparked by higher taxes to pay for benefits of a government far away.

What does this mean for businesses? If employees feel like they are being left behind, financially, with no raises or decreasing benefits, then there is the real risk of employee dissatisfaction and resentment. Especially if the company is growing or profitable and is not rewarding employees. Various news articles have shown that recent corporate profits, as a percentage of GDP have grown, while wages have stagnated.

This translates into poor morale and decrease in productivity and even elevates the risk of internal theft by some. There is a maxim amongst loss prevention professionals that 10% of people will never steal, 10% will always try to steal and 80% can be swayed either way. Employees who are frustrated with their company are more likely to use that as another way to justify dishonest behavior. That increases the risk that at least some of those employees in the 80% group will embezzle, cheat, steal or just chase away customers.

Aftermath of Greek riots - news photo

Depending on your business, there are lots of ways employees can sabotage you, whether intentionally or not. Poor customer service and poor quality control are some examples. Productivity may drop if employees no longer strive as hard. Employees may even be more prone to ‘sweetheart’ deals and give away product, even to strangers if they are not happy at work, such as giving away coffee at convenience stores.

Business leaders need to pay attention to the potential unrest and make rewarding employees a top priority when the company is successful. If not, you could send a message as Marie Antoinette did when she famously declared, “Let them eat cake” when told her citizens had no food to eat. And we know how that ended – at the guillotine!

 

Eric Smith, CPP is the leading authority on organizational self-defense.  He has extensive experience in law enforcement as well as security management.  Eric is available for staff education and security awareness training as well as business coaching to help organizations provide safe workplaces.  To learn more email eric@businesskarate.com.

 

 

If you would like to reprint this post, please contact Eric at eric@businesskarate.com. 

Corporate Spies and Protecting Proprietary Information

Secret bank accounts in Swiss banks; foreign governments; selling of top secret information and the hint of international intrigue – all combined for what could be a Hollywood thriller, except that it is all based on recent news stories. 

The Wall Street Journal and Bloomberg business news reported on the developing story of corporate espionage at Renault, the French automaker.  Three of the company executives are being charged with corporate espionage after reportedly selling information on Renault’s electric car.  According to one article, Renault has invested over $5 billion in developing electric car technology.

So far, the details are sketchy about what exactly happened.  Reports indicate that a Chinese company may have made payments into the bank accounts of at least two of the executives.  And to add to the damages, the French government is the largest shareholder of Renault bringing this to more of a spy operation between two governments than two competitors looking for an edge.

What lessons can be learned?  And I know what you are thinking…my company doesn’t deal in high-tech products; no one would care about what we do.  Wrong.  Virtually every business and organization has information that, in the wrong hands, could impact their competitiveness or damage their corporate reputation.

Let’s take a look at another big news story this week.  In Arizona, there was the shooting that left 6 people dead and several, including a congresswoman, injured.  In the aftermath, three hospital employees where the victims were being treated were fired for unauthorized access to patient health information (PHI).  It does not appear that anything was actually released, but this is a clear example of another type of proprietary information.  The information may have been accessed out of sheer curiosity or it could be that some news agency might have been willing to pay for a ‘scoop’ on a patient’s condition.  This is a risk anytime a hospital has a VIP patient or even a deceased victim.  Think of all the media attention around Michael Jackson’s death and the money that might have been paid for exclusive photos of his body.

Here are two very different industries and two very real examples of proprietary information and the potential damages.

And what if your business or company provides a service or product that is seen as a commodity…there is no value in any company information at all, right?  In this type of case, your proprietary information may be even more valuable.  As a ‘commodity’ price may be one of your strongest competitive edges, especially when bidding for a contract renewal or for new business.  If you went into a sales presentation and knew exactly what your competitor was going to present and exactly what their price model was, wouldn’t you be able to adjust your bid to guarantee winning the business?  Along these lines, wage information, benefits to employees, training topics and costs, manufacturing techniques and vendor information can all become valuable items to know about competitors.

To prevent the loss of the information, a full risk assessment should be done.  Identifying all critical information is part of that, followed by identifying how that information is exposed and what threats can take advantage of the exposure. 

The easy way to look at risk, is this: risk is what you face when a threat exploits a vulnerability to put a critical asset in jeopardy. 

The real challenge comes with protecting information.  There are so many different ways to access and steal it, as we saw not long ago with the Wikileaks scandal.  The tricky part is that for the information to be of value, the employees of an organization have to have access to it.  The executives in the Renault case were responsible for upper level management positions, including heading up new product development.  This story will be worth watching to learn more about how the theft was uncovered, leading to a five-month long investigation.

In the case of the hospital in Arizona, it is very likely that the hospital’s IT department had some measures in place to see who was accessing electronic medical records.  Since this was a high-profile incident, I imagine that more attention was given to tracking access to any related victims.  As soon as any employee other than those that “needed to know” accessed the information, the IT department quickly checked on whose credentials or log in had been used to close that avenue of potential loss.

So what were those lessons learned?  Spy-proof your business with these four steps:

1.      Identify critical information – think about what your competitors would want to know about you and what you want to know about their business

2.     Review how that information could be vulnerable.  Look at how it is stored, electronically and hard copies.  Is it on a server or specific PC that could be stolen?  Could the data be emailed off your network?

3.     Evaluate the potential threats – usually, in these cases, employees.  Do key employees face regular background checks or screening?  Consider looking at credit issues as well.  Don’t assume that because an employee is higher in the organization that they are more trustworthy.  In the Renault case, the theft occurred at the executive level, not the mail room employee.  Think past criminal intent – employee carelessness with data or falling for social engineering (obtaining info by false pretenses) are other possible threats.

4.     Take action to minimize the risk from the threats.  This sounds obvious, but is probably the biggest mistake that companies make.  A nice risk or security assessment may be done and all the documentation completed, but no follow up action is taken.  It is not in the budget, or no one is given the responsibility or worse, no one cares enough until after an incident happens.

Remember your proprietary information, no matter what form or what industry, will be of value to someone – the only question will be if it stays your valuable information or will you give it to your competitors for free?

_____________________________________________________________
Read a follow up post, "License to Fool: Renault Spy Case Takes Another Twist"