Information protection as a tool for social status
Although American businesses lose an estimated $300 billion every year through failure to identify and protect critical information, virtually nobody outside the government pays any attention to OPSEC, which is the identification and protection of critical information. Even within the government many people do not understand the importance of protecting critical information. As OPSEC professional Layne Marino says in his popular talk on Marino’s 10 Laws of OPSEC, “You are the only one who cares about OPSEC, and you are delusional.” We are therefore always delighted when someone expresses an interest in protecting information, but sometimes amused by the reasons for the interest.
As an example, someone recently went to the person at their (very large) corporation who was responsible for assigning offices, and demanded a larger office. Putting aside issues of how best to get favors, they were told that their office was of an appropriate size for their position in the corporate food chain, and asked why they should have something larger. The answer was that they were in the M&A group, and that they, even more than most, has sensitive information that needed to be protected, which meant that they needed more space.
Now, in fact, it is true that people involved in mergers and acquisitions do have a lot of information that is sensitive, and perhaps even critical. This information would certainly qualify as insider information if used by its caretakers for their own profit, and which, if widely known, could influence the market price of both the company doing the acquiring and the company being acquired.
The argument would, however have been more convincing had the facilities manager not recently been in an elevator where the m&a type got on and, for 20 floors, discussed the acquisition of company Y by client X, the current price of each, and the estimated purchase price.
Now, as it happens, acting on information your hear while listening to people foolishly talk in an elevator, or in a bar, or in a restaurant, or at a party, or on the train, or at a conference, or anywhere else where there is no expectation or privacy, is neither insider trading nor economic espionage. And it is not an unreasonable guess that twenty people were privy to this confidential information, and that some of them discussed this information with others. And that one or more of the widening circle of the informed acted on the information for their own profit.
We frankly don’t know whether a larger office was obtained, but we are fairly sure the talkers were neither disciplined nor fired. This would have set a good example for others in this probably leaky corporation, but in a corporation with a corporate culture of disinterest in protecting critical information, the real defense against information loss is to be large enough not to mind the losses, rather than to stop the leaks.