Keep Spies out of Your Company
At Tandem, employees have the freedom to tinker and invent, to define the cutting edge in an industry perpetually at the cutting edge, and to help structure the philosophy under which the company operates. A sales and marketing force that moves speedily and deftly among purchasing agents and boardroom barons alike supports the fruits of Tandem employees' inventions. In all, it's a combination that by 1986 made Cupertino, California-based Tandem the world leader in fault-tolerant online transaction processing (OLTP) systems.
The Tandem culture of freedom and open communications was instrumental in attracting the best talent and perching Tandem on top of the world market in fault-tolerant OLTP systems. This culture, however, easily could have become the company's road to oblivion. Employees, drifting unguarded through the currents of their respective professional and social groups, openly discussed and published information on new products and concepts. Visitors and vendors, moving virtually at will through company facilities, could observe sensitive company activities and documents, and talk freely with unsuspecting workers. All of this openness resulted in potentially fatal losses of trade secrets and other proprietary information to actual and would-be competitors.
Michael John, Tandem's manager of corporate security, aptly described the situation as "the dark side of an open culture." It was a case of a company's communicating "too much and too well, with little or no awareness of how vital the company's proprietary information was to its future well-being," says John.
Tandem's chief competitor, Digital Equipment Corp., was even so bold as to open offices directly across the street from Tandem's headquarters. In fact, Digital employees, fed up with their own cafeteria's cuisine, simply ambled across the street, followed Tandem employees through the door and had their meals at Tandem's cafeteria for R&D employees. Infiltration? Here was the enemy, sitting amidst a profusion of conversation on the newest products and ideas coming out of R&D. Digital's hungry snoops, along with spies from throughout the arch-predator-ridden Silicon Valley and well beyond (Japan, South Korea, France and the former U.S.S.R.), practically came and went as they pleased. Shockingly, Tandem required no ID badges. There were no check-in or checkout procedures of any kind.
To the superb but otherwise beleaguered HR department, it was roughly equivalent to being cops in New York City without having guns. With engineering talent at such a premium, such open access resulted in continuous raids of the company's best and brightest. All that the competitors and headhunters needed to do was call the company (or even drop in) and get the names they wanted from almost anyone they happened to stumble into—no questions asked, no ruses necessary. Names are a valuable company asset, but Tandem management treasures trust and the unconstrained flow of information even more.
For HR in particular, a steady stream of bogus job candidates and the ongoing telephone calls from so-called researchers, analysts and students compounded this quiet chaos. There were people seeking out Ms. So-and-so, the hardware-systems engineer. They could identify the engineer by the organization name tag, which all employees wear at trade shows, seminars and other public events. Perhaps it was a call for the group manager of Project X, a new computer-networking service that Tandem had discussed openly on its in-house TV network, which is broadcast worldwide.
Into this vortex walked Naomi Fine of Oakland-based Pro-Tec Data, a consulting firm that helps companies protect their confidential information. Working hand in hand with John, Fine's mission was to help redefine and restructure the company culture.
The critical task centered on developing and implementing a comprehensive information-security program. The program, however, couldn't impair seriously the enlightenment and creativity that would be as important to Tandem's revival as it was to the firm's breathless mid-'80s ascent. The eventual success of the program would be attributable in no small part to the perseverance and commitment of Tandem's human resources department. Today this department represents the first line of defense against competitive spying.
Thousands of companies employ business spies.
The Tandem case is a prime example of the danger of inadequately protecting a company's proprietary information and its people—its most priceless assets. Take careful note: The risk of losing your business secrets, and the investment they represent, is greater today than ever. It happens across the entire spectrum of U.S. industry.
Take, for example, the pharmaceutical, chemical and food-products industries. These industries historically have been principal targets in the domestic and international commercial-spy game. These industries are especially vulnerable during this era of increasing global competition, shorter product cycles, thinning profit margins and, sadly, ever-declining employee loyalties.
The rising motivation for spies to seek out your company's most sensitive information (a frequent component of which is uncovering and pursuing your most knowledgeable employees) is also directly proportional to the rise of a new and rapidly growing strain of business spying called competitive intelligence (CI). This doesn't exclude the trench-coat-and-fedora crowd. Companies can still find them occasionally rummaging through Dumpsters™, planting electronic eavesdropping devices and passing cash in envelopes.
However, the explosion of available information and technology—and a new order of business sleuths trained to exploit it—have pushed the boundaries of corporate snooping well beyond the murkiness of industrial espionage. To this new corporate spy—the competitive-intelligence operative—bugging, bribery, theft and other illegal activities are strictly taboo and—as you will see—quite unnecessary.
Your firm might have a competitiveintelligence department already in place or a related function within marketing or corporate planning. If your company isn't familiar with competitive intelligence, you should know that thousands of other companies—from American Express and Eastman Kodak to Colgate Palmolive and American Cyanamid—use it in one form or another.
Some U.S. corporations even invest millions of dollars in CI. On the one hand, this presents big-league competition at last for some of the corporate giants of Asia and Western Europe, many of which have been engaging unfettered in worldwide intelligence activities for more than 30 years. On the other hand, it can be big-league trouble for unprepared domestic competitors. Moreover, companies now have the option of employing one of many competitive-intelligence consulting firms. These firms are sprouting up while the CIA and various military intelligence services are shrinking.
HR departments are the target of competitive-intelligence operatives.
HR departments are especially vulnerable to intelligence-gathering activities. First, they're frequently the main point of entry into the organization for CI operatives seeking information in other areas of the organization. Second, human resources departments deal with information that can provide valuable insight to a competitor (compensation plans, closing or relocating facilities, expansion plans, reassignments, executive promotions and more).
There are many approaches in which competitive-intelligence operatives strike HR departments. The most common ways include:
- Calling on the telephone: HR professionals know that there are few substitutes for skillful interviewing, but they're no match for the well-trained and experienced CI telephone interviewer. These individuals are capable of persuading even the most security-conscious employees to discuss matters that they probably shouldn't. Telephone interviewing almost always is the best way to obtain the most practical, up-to-date information on competitive activities. Therefore, protecting the company from these intrusions is perhaps the single most important factor in safeguarding your company's proprietary information.
- Reading your help-wanted ads and other recruiting material: CI operatives pay close attention to help-wanted ads, job postings (where accessible) and job announcements. They attend recruiting functions, too, and may try to cozy up to the employment agencies or search firms you may be using.
- Posing as job applicants: A possible next step for the competitive-intelligence operative (or a co-worker or accomplice that has qualifications more closely suited to the needs of the targeted company) is to arrange an employment interview, either by phone or in person. The interview process, as far as it goes, then becomes an opportunity to learn as much as possible about the company. This is a lesson Tandem learned, to its regret. Although this is an unethical practice, be prepared, because it's happening with increasing frequency.
- Posing as vendor employees: Human resources rarely recognizes vendor employees for the potential security risk they represent. Such operatives are more common than you think. For example, one CI operative approached a janitor working at a competitor's facility and offered to pay the janitor for separating the trash in a sensitive area and handing it over to him. The janitor refused. The reason? Another competitor already had hired him to do the same job.
- Finding the disgruntled or troubled employee: If the competitive-intelligence operative is able to obtain proprietary company information from an insider, it most likely will be the result of the insider's carelessness or lack of knowledge about security risks. But inevitably, there will be intentional disclosures of information by employees, the result of numerous negative motivations. Either way, the outcome can be disastrous.
Adding to this danger is the common CI operatives' practice of being deceptive about their identities and the purpose of their calls. The job seeker could, of course, be phony. There will be callers who are conducting a study or doing some form of research, and identify themselves as market researchers, industry analysts or students. These identities may not be untruthful. For example, many competitive-intelligence operatives are or have been market researchers. These individuals often use such disguises to prevent their being immediately identified as a competitor's employee.
Also note that your job announcements, which you may have designed to attract top candidates, may have a little too much glamour in them. For instance, a want ad highlighting sales growth (or financial data), new technologies, other growth plans and so forth ultimately may be telling your competitors more than they should know.
HR professionals can't afford to overlook janitors, maintenance workers and related service personnel. These people often aren't well-paid and may not be well-treated. They may have no particular loyalty to you nor to the organization for which they work. These individuals also are impersonated easily.
A well-popularized espionage tactic is to find and then run internal sources, continually analyzing them for the reliability of the information they provide as time passes. Frequently, this involves bribery, blackmail and other illegal activities. The great majority of competitive-intelligence operatives never would consider such tactics. Nonetheless, CI operatives wonder what motivates certain sources, because these motivations might be central to the type of information they seek and its reliability. They, too, have an interest in knowing whether the motivations arise from revenge, money, getting information in return, or whether it's just a case of someone who enjoys chatting.
The persistent weakness of the economy, scarcer resources, continuing fallout from merger-and-acquisition activities and many other related factors continue to diminish employee loyalties and the general moral climate governing business. Concurrently, the dangers of the disgruntled or disloyal employee—and the likelihood of his or her exploitation by both the competitive-intelligence and the espionage factions—loom larger than ever. Because the HR department is a cross-functional entity, it's positioned well to play a major role in preventing competitors' taking advantage of unhappy employees. HR's role, however, goes farther than just keeping CI operatives and other espionage agents physically at bay.
What human resources does in large part will reflect the company's toughness and resolve in matters of information security. The image that HR conveys as the firm's window to both its own employees and the outside world, therefore, also is important. It's an ongoing role, beginning each time a prospective employee walks through the company's doors—whether to review job postings or for an interview—or when a person signs the confidentiality and noncompetition agreements upon hiring.
HR's role carries all the way through to the termination interview. During the intervening time, the HR function has a diversity of forums that dispense security-related information and guidance to employees at all levels of the organization. These include:
- Training and development programs
- Employee performance reviews and promotions
- Meetings that provide employees with information or updates on such issues as benefits, health and safety, and government regulations
- Employee counseling sessions and other special programs.
HR can contribute to an information-security program.
A successful companywide information-security program requires that many different factors work together. According to Fine, the Tandem program worked because it started with a comprehensive plan.
"We began by listening to the perspectives of each of the senior executives. Gaining their support was the first essential ingredient in [the program's] success," says Fine. "Our major goal was having all these executives champion the cause within their functional areas and serve as role models for all employees. This would bring about everyone's participation, which would facilitate cross-departmental cooperation and ensure that the necessary resources were available. Just a written order handed down from top management never would have gotten the job done."
A second essential ingredient for Tandem was that the company developed and carried out the program from the bottom up. "In other words, it was a program by and for the employees, designed to meet each department's special information needs," adds Fine.
With human resources playing a pivotal role in the overall information-security process, here are the key steps a human resources department can take to lead the way in developing its information-security program:
Create awareness: Employee awareness and education are at the core of any information-security program. From the moment that people begin their employment and regularly thereafter, human resources professionals need to remind employees that protecting company secrets is important to the success of their company. As the company grows and prospers, so will they.
Tighten telephone security: Most HR managers surveyed for this article cite the experience of their staffs as being most effective in successfully screening telephone inquiries. However capable you feel your department is in fielding phone calls, it certainly won't hurt to make the entire HR staff—including temporary personnel—aware of the more-specific dangers involved. Here's what HR professionals should know:
- Whenever any question arises about a given caller and the information being sought, ask the caller to provide further information in writing. This should be done by mail or brought in as part of a scheduled meeting. This will prevent the temptation to discuss wider-ranging matters with prospective applicants—information that can go beyond the scope of the given position.
- Never refer callers to the specific functional areas of the company in which the callers direct their questions. In so doing, you may be sending them right to the source of the information they're looking for and to people who may be less security-conscious than you. The best approach is to direct the person to the company's corporate relations office or another area that serves as an information clearinghouse.
- Train personnel in defensive telephone techniques. Practice in advance. For instance, call your employees, posing as an inquisitive competitor (or an investigative journalist, another potentially dangerous intruder). This helps employees learn to deal firmly and quickly with unfamiliar callers.
Watch what you say when soliciting job candidates: Any information about the company's current standing or future direction, financial or otherwise, should be left out of all employment ads and other solicitations. There are many other ways of using words and images to interest qualified applicants. This rule applies equally to:
- The information you give to an employment agency or anyone else who is involved in your hiring work
- What your representatives say at job fairs or at any recruiting function.
- These all are targets for competitive-intelligence operatives, many of whom are highly skilled in mingling, listening and asking.
Weed out bogus job candidates: A preliminary interview conducted by an experienced interviewer, in addition to doing a thorough job of the basic checking procedures, should eliminate the impostor quickly. An experienced industrial-espionage agent might be able to pull off a full-blown deception through the hiring process, but these are rare cases. In contrast, the average competitive-intelligence operative is an amateur when it comes to this kind of undercover activity and can be detected easily.
In addition, be careful about having the applicant interview too early with the hiring manager. The manager may not be a trained interviewer or be tuned into the tactics of the intelligence gatherer. These interviews can focus easily on current projects, mutual interests and general shop talk—the stuff of which intelligence is made.
Add more punch to confidentiality agreements: The real value of nondisclosure agreements is not so much their legal power but their ability to create the right image. This includes making certain that employees and outsiders clearly understand that the company is serious about preventing the loss of proprietary information in any form and will pursue rigorously individuals who endanger such information.
Under the guidance of Fine—who's also an attorney—and Tandem's legal department, Tandem now gets the most out of its confidentiality agreements. Here are the ways to get the most out of your company's agreement:
- Remind employees at frequent intervals of their duties under the agreement. Simply signing the document and then filing it away isn't sufficient. If it's ignored, it will fade from the mind of the employee.
- Make nondisclosures apply to all subcontracting employees. Most of the HR departments surveyed for this article don't screen subcontracting employees carefully. Many don't do it at all. These people may have worked—or might work at some point—for a competing company, thus possibly putting at risk the information they have learned while in your service. This rule applies equally to all vendor employees.
A stringent policy of deterrence also encompasses:
- Noncompetition agreements
- Invention and patent agreements (where applicable)
- Comprehensive exit interviews.
By taking these precautions, human resources professionals can help prevent company secrets' being taken by departing employees.
Deal with vendor employees: Request directly from the service provider—or from your procurement area, if they're responsible for vendor contracts—a list of all vendor employees who contract to work at your facility. This will enable your staff to conduct background checks of these employees, or at least of those individuals who will be working in or around sensitive areas. Although this can be a laborious task, keep in mind that it takes only one angry or naive person to jeopardize your secrets. That person can be either an outsider or an insider.
Define and classify proprietary information: Sensitive areas of the organization, like R&D and marketing, have their own document-classification systems. HR also should have its own classification system. This should apply to both general personnel matters and vital organizational information.
For example, a simple, effective system for your department might begin with classifying basic personnel files as private and upgrade more sensitive material to restricted or company confidential. This can apply to such information as the opening or expanding of facilities, transfers of responsibility or personnel, and so on. In cases of extremely sensitive information, like that involved in a pending merger, using a classification such as restricted-registered is helpful. Under this particular classification, the firm can control both the number of copies and which individuals can see them.
Tandem, which had more than $2 billion in worldwide sales in 1992, pushes ahead confidently. It plans to remain a leader in the fault-tolerant OLTP market for the long run. There's no reason to think otherwise, now that the company has passed successfully through the mine-infested corridors of both commercial espionage and relentless recession. Had Tandem not survived the espionage, it might never have navigated through the recession.
Under the stewardship of John and Fine, and with the active participation of everyone in the organization from CEO James (Jimmy) Treybig on down, the company has confronted all the former security hazards. The critical outcome is the substantial reduction of losses of both key employees and sensitive information. In conjunction with a stable management team and prudent cost-cutting measures, Tandem now can devote its full attention to what it does best, what its multiple end-user markets want.
Another central lesson of the Tandem experience is that a comprehensive information security program doesn't mean stifling the information. It doesn't cause big disruptions invariably in the cross-company and cross-industry flows of communication, so important to the development of the ideas and products keeping Tandem globally competitive. Finding that balance between open communication and employee trust on the one hand, and information protection in day-to-day business practices on the other, is, in the words of Fine, "a new and indispensable part of competitive positioning in the information age."
Personnel Journal, May 1993, Vol. 72, No. 5, pp. 44-51.