Active versus passive adversaries
While active adversaries – folks actively trying to get information from you – should be an obvious source of concern, we are sometimes even less aware of passive (or sometimes inadvertent) adversaries. While an active adversary may well try to suborn someone to get information, often this is not necessary, as there may well be someone willing to give away the information with no understanding or knowledge that they are doing anything wrong.
In some cases this is our fault for giving someone the information. A prime example of this would be discussing sensitive matters in front of our family. It is not reasonable to expect much discretion from children, who may well repeat things they have heard. If we don’t understand “need-to-know” restrictions, it is unreasonable for us to expect our families to understand.
In other cases it is our fault for not identifying sensitive information, and for not providing the education and training to our employees to know what they may or may not discuss. An excellent example of this was found in our article The P&G/Unilever Caper in the August 2001 e-Journal.
As with children, if we have not identified information that is sensitive, and that should not be discussed, it is not reasonable to expect that employees will be able to mysteriously discern was is or is not sensitive, or what may or may not be discussed outside the company. This is particularly true when dealing with situations in which people have been given license to talk. As an example, marketing people make their living by giving people information. Along the same lines, if someone is sent to speak at a conference – or even to attend a conference – it is reasonable to assume that they will exchange information with peers and conference participants. If no limits have been placed on what may be discussed, then they will quite reasonably feel free to discuss everything.
The bottom line is that without identification of critical information, employees cannot know what they are permitted to reveal and not reveal. In the average American company, roughly seventy percent of the assets are in intellectual property, yet most companies have no current and ongoing audits of this intellectual property. Clearly, if the company is unaware of what it has and where it is stored, it is available to anyone and everyone. Employees cannot be expected to protect what the company has not chosen to shield.
You can do something about both passive and active adversaries, but not until you have taken the first step and identified critical information.