Our continued employment depends on safeguarding the intellectual property, sensitive information, and products that define our organization’s value. Threats can come from anywhere, from spies and competitors to overlooked vulnerabilities like discarded office trash, making strong policies, awareness, and imaginative training essential. Ultimately, we must foster a culture of shared vigilance, where every employee plays a crucial role in protecting what keeps the company and the nation secure.
What motivates us to keep coming to work? This isn’t intended as a joke. Instead, what keeps us employed is our protection of both our intellectual property and the products it creates. Otherwise, we who protect the secret and sensitive materials of our government organization or private company have no reason for being there. Consider.
Adversaries seek what we consider proprietary, secret, or corporate secure. From those seeking to be our partners in a joint venture to spies and corporate adversaries, people want what we have. This could encompass anything from our passwords and manufacturing plans to prototypes and test results. And don’t forget, this adversary would love to obtain our finished products to reverse engineer them. The list can go on, but we are the ones who protect all of this, so our company can continue to protect our nation. So, faced with such a daunting task, where do we begin?
Building the First Line of Defense: Policy and Access Controls
We establish policy. Who do we allow into our compound? By this, we mean both physical and electronic access. We establish entry controls. Then we address logistics regarding electronic devices during their visit. Entry into secure areas requires additional controls. Electronic ‘visits’ should have one single point of entry. Calls or emails from someone outside the company should be directed to your Public Affairs Officer, just as with physical visits.
Likewise, dealings with those who deliver your materials should be vetted. How did they become aware of your company’s mission? What materials did they read to learn about you? Are all publicly available documents about your company cleared for public release? Do you have a public release policy that you regularly communicate to all? How do you protect your computers? Who advises you on such protections? Are you aware of Federal requirements for the storage of classified information, either physically or electronically?
Threats Can Come From Anywhere — Even the Trash
If our company is a cutting-edge business, it could become a target. The threat is often from utterly unexpected places, however. For $250 per month, a janitor was bribed to collect the trash from executives’ offices in one headquarters and pass it to an enemy spy. The take was tremendous. Oh, you might think, these senior officials should have known better than to throw out classified or sensitive material in the trash.
Too often, in post-mortem assessments of such cases, investigators do not locate any classified documents. Instead, they find leaks in data such as employee information, software types used, and negotiation strategies. None of these plans was stamped classified at all. In the hands of a professional spy, provided to him by a simple janitor, a guide to who-knows-what, where something is located, who is being considered for lay-off, or what computer systems are most vulnerable has come via your boss’s trash can. Such dumps are a goldmine for spies. And none of it is classified.
Too often, security managers feel overwhelmed. There are so many ways to steal from us; how can we possibly anticipate them all? Rather than view this dilemma negatively, consider it the springboard to imaginative briefing requirements. Use security posters, provided by the Federal Government, and place them in elevators. Change them often to illustrate a new threat, which will help your staff understand the varied nature of the threats to their livelihood. We can do the same with computers. One agency published a new security reminder online every third day. It became the first thing every employee saw when they opened their laptop for the workday. No in-person briefing was ever the same.
Training With Purpose and Creativity
Remember. The goal of every briefing is to enlist all your employees to help you protect your company’s secure information. Take the time and courtesy to prepare a decent and imaginative briefing whenever you go overseas, have a conference, or welcome visitors. Cover important ground. Show how proprietary formulas and processes continue to be targeted. Cite real recent events (at the classified level, if necessary) or specific historical events that illustrate the points to be made. You’ll notice that other professionals can supplement all your protection strategies.
One NATO facility enlisted personnel from various counterintelligence offices to provide different perspectives on addressing similar activities. Additionally, consider reaching out to those who have created worthwhile, professionally produced security films or videos. One briefing began with a clip from a World War II film featuring Sherlock Holmes. Holmes spoke on protecting classified information! This two-minute ‘briefing’ was the talk of the offices for weeks; it was so prescient and clever. Reach out to those responsible for providing your government’s investigative capabilities and security assistance as well.
The FBI and the National Intellectual Property Rights Coordination Center are but two of them. We all need to work together. The time you take to do your security training right will result in more meaningful reports. More employees will come to you to say, ‘Something just doesn’t seem right.’ Such reports are the reason you give briefings.
