It's easy for information to fall into the wrong hands.
Have you ever leaked information about your firm? Have your colleagues? Have you been tempted to leak sensitive data, and would it be hard to do so?
Do you gossip about your firm or colleagues, sometimes disclosing mildly sensitive information that, in the wrong hands, could be damaging? If you find yourself prefacing lots of conversations with, "between you and me …" you are probably leaking too much information.
For all the efforts to stop leaks, sensitive information still falls into the wrong hands.
Moreover, does your employer guard key information, or can you easily access data on clients, salaries, financial accounts, and the firm's strategy – and share it with friends, colleagues or rivals?
Recent revelations about an Australian Bureau of Statistics (ABS) worker allegedly leaking sensitive information prompted The Venture to consider this issue from a small-business perspective
The ABS story is the latest in the series of government and corporate leaks worldwide in the last few years. For all the efforts to stop leaks, sensitive information still falls into the wrong hands.
This problem will worsen as organisations rely on "big data", become more networked, and as staff increasingly use personal technology devices at work. A rise in the number of disgruntled staff, as retrenchments increase and income growth slows, could inflate the situation.
Leaked information is not just a problem for large organisations. Small businesses can suffer from employees leaking contract details to rival firms, stealing client lists before they start their venture, accessing trade secrets, financial accounts or other sensitive information.
In some ways, "leaking" is a trickier issue for small enterprises that do not have sophisticated technology systems, human resource teams, or corporate forensic experts on hand. The overworked business owner cannot watch everything and the small firm has less capacity to recover from leaks.
Sometimes, the information leak is not about fraud, or a whistleblower informing authorities. Instead, it is from disgruntled, mischievous employees who want to do as much damage as possible – usually because they have been passed over for pay rises or promotions, and are bitter and twisted.
There is no uniform approach to stopping information leaks in small businesses. Information security needs will differ, for example, for a fast-growing start-up with unique intellectual property and a well-established service business that has had the same team for years. Use the tips below as starting point for discussion:
1. Scramble those "bad eggs"
Stopping information leaks starts with recruiting ethical employees. A trap for busy small business owners is hiring people on the fly, without serious due diligence. If you recruit directly, without a search firm, check the potential employees' past employment and references. Speak to their referees. Some firms check their employees' social media and if there is criminal history. Consider a trial period before providing full-time employment.
2. Black and white, please
Ensure the employment contract has clear wording about the firm's confidentiality requirements and a clause that prohibits staff from competing against the firm, should they leave, for an agreed period. Ask potential hires to check the contract and encourage them to seek independent advice if needed. Ensure the contract provides scope for recourse if employees breach confidentiality rules.
3. The induction
A good induction program will help employees understand the firm's culture and expectations on joining, and its specific policy on disclosing sensitive information.
Do not take a heavy-handed approach: simply explain to staff what is expected on joining the firm. Train staff, if required, about when, where and how to disclose information.
4. Culture, culture, culture
Policies and programs are meaningless if the firm's leaders do not uphold them, or communicate them to staff. For example, at a staff meeting about a critical client contract, the manager might gently remind staff about the importance of confidentially.
If the firm suspects an information leak, it should remind staff about its confidentiality policy and employee obligations under it. In severe circumstances, a manager might discuss the potential consequences if data is disclosed.
The goal is a transparent, honest culture where staff have clear expectations about respecting confidential data, and where good staff report the actions of those who seek to damage the firm through information breaches.
5. For your eyes only
The small enterprise should determine which information can be openly shared among staff, be available only to senior managers, or be for the founder's eyes only.
Without getting too complicated, it pays to know which information would create most damage if leaked, and review how it is protected.
6. The upside and downside of technology
In many cases, technology makes it easier to access and share sensitive data. But smart technology systems can also safeguard information, track security breaches, and pinpoint leaks.
Small firms that do not have sophisticated technology systems can take simple steps to safeguard information. Ensure all work data is on the firm's server, and backed up. Consider whether staff should be allowed to use personal devices, such as smart phones and tablets, to access work material – a tricky issue as younger staff, in particular, prefer to use their own devices. Fast-growth firms with competitively sensitive information might insist on staff using company-supplied technology.
Electronic passcodes for office entry, so the firm knows who is coming and going, are another consideration. Consider whether employees should be able to access sensitive material from home, via the firm's network.
7. Secret firm business
As part of standard risk-management procedures, a small firm might test if its confidentiality policy is being followed and if there have been information breaches. This could involve a random sample of work emails from employees in high-risk areas, or a review of their computer activity.
Alternatively, it could be a short training session with staff each year on the firm's confidentiality policy. The goal is to audit, test and refine the firm's confidentiality policies and ensure staff compliance with them.
8. Blow that whistle
A whistleblower line for staff who want to report suspicious behaviour anonymously can help. Knowing their colleagues have access to such a service can make employees rethink leaking sensitive data. The small firm could just as easily set up an email address where staff can report their concerns.
9. Seek professional help
Identifying and snaring the leaker is only half the battle. The harder part is not being caught in legal action if an employee is falsely accused, or if the investigation is handled poorly and the perpetrator discloses more information, or makes a run for it.
Devising an appropriate "remedy" can be tricky: for some firms, it may involve reporting the problem to the police; for others, it is about removing leakers as fast as possible, and ensuring they stay silent through agreed terms around their departure. Seek legal or other professional advice before devising a corporate "sting".
None of the above measures need be heavy-handed or draconian. For the vast majority of small firms staffed by honest people, leaked information is a low risk. But it can have extremely damaging consequences, meaning some risk-management planning in this area is a good idea.