Wednesday, November 24, 2010
A Mole in the Closet! Steps CEOs can take to protect their firms
‘MHA Mole sought Cash, Sex as Bribe’. It did not strike me as unusual when I saw this morning’s headline in the Times of India. The mole in the Ministry of Home Affairs, in a responsible position in the dept of internal security was alleged to have leaked information on the progress and methods to obtain security clearance in sensitive areas like telecom and mining, (mis)using his position to pass on favorable information to facilitate clearance of such applications. The reward was sex and money. Code words used were software for women, hardware for hotels & venues and laddu (an Indian sweet) for money.
But, obviously, this is not the only closet. Every corporate organisation has them. In fact, most employees may be tempted to get converted into moles through three primary ways. First, by exploiting their lack of security awareness to download malware on to their computers, second through sexual blackmail, exploitation of their need for a job or taking advantage of their disgruntlement and third by buying them using money or sex. These moles can have a damaging impact on business by leaking out crucial information such as business plans or product designs to competitors or even through deliberate sabotage. So do not find it unusual if you find out that a tender was lost due to a 5% price difference, or that a competitor launched a similar-looking product a few weeks earlier or that the organisation lost money because crucial billing records were deleted. Corporate espionage can also take place through the use of professional agencies which deploy spying devices through compromised house-cleaning staff and hackers this however is the subject of another blog post.
Employees who become moles have typically been in service for several years and have built personal equations & trust in the organisation. Moles are also likely to be employees who have access to information of damaging value to the corporate. Less that 10% of the employees may fall in these categories though they may vary in grade from the CEO down to the office boy who handles business proposal documents.
Detecting corporate espionage is extremely difficult. Bear in mind that we all like to work for organisations which trust their employees. However, there are a few key measures that can be put in place, as listed below:
Top Management should keep their eyes open: - Instances such as bids lost by thin margins or leaked product designs are early-warning signals that no top management should ignore. To pick up these signals, it is important that the top management accepts the fact that corporate espionage is a reality.
Know what information is valuable: - Identifying valuable information and employees that have access to it is the first step in executing a proper corporate anti-espionage policy.
Establish a policy and a corporate anti-espionage team: - A formal corporate anti-espionage policy, processes and team should be put in place to develop controls, implement and monitor as mitigation to these types of threats.
Regular background checks and peer surveillance is a vital ingredient in preventing corporate espionage:- Team workers are best able to detect early signs of corporate espionage, in the form of an individual’s change in emotional behavior, interest in matters which do not concern the employee, unusual browsing of files or even out-of-workplace signals such as gambling habits, excessive debt or even spending more money than would be expected. Most organisations conduct a background check during the joining process as a formality and do not repeat the process regularly. This compromises its sanctity since employees can get converted into moles only once they occupy positions of trust.
Technology may not be the solution:- Corporate espionage results in the exposure of unstructured data such as proposals, business plans, product designs and prices. Information of this nature is difficult to monitor electronically. Checks like monitoring emails, restricting access to portable media and technologies like DLP may help but they can all be subverted with the help of a simple mobile phone camera.
People remain our best defense: - Employees should be trained on the role they need to play in the defense against moles. Obviously the mole will attend your training program too. Money could be a key factor in motivating moles. Building loyalty and paying key employees well can go a long way in reducing the probability of their conversion.
Set up a Confidential Reporting Channel:-There should be a system for employees to report if they are propositioned, an attempt is made to coerce them or to report the suspicious behavior of fellow employees, akin to a Whistleblower policy. This should be backed up by clear processes to give employees the confidence that their reporting will be treated in the right manner.
Industry Feedback: - What the market place says about an employee may provide an early warning signal. Several times rumors float on an employee’s integrity or, as in the case of the MHA mole, a complaint was raised by a customer due to a demand for a bribe. There should be a system to receive, examine and act on these feedbacks in a prompt & effective manner.