Security of secret information is big news today. Journalists are feverishly building a biography of Edward Snowden, the former Booz Allen Hamilton employee who leaked top secret information from the National Security Agency to the Washington Post and the Guardian. Our government is doing a terrible job protecting information, but not much worse than many businesses.
Small businesses have several categories of information to protect. They include design and manufacturing secrets, customer lists, pricing strategies, key employees, financial information and confidential information belonging to customers.
So here is a pretty fundamental question for business owners: Has every employee signed a nondisclosure agreement protecting company and customer information? Given what I have seen over the last several years, my guess is that the answer is no.
It is not at all uncommon for small businesses to hire people and immediately give them access to all kinds of information — some job-related and necessary, some just lying around and there for the taking — with no nondisclosure agreement having been signed. Not only is an agreement not signed, there is no discussion about the sensitivity of various types of information or how to handle it properly.
Some things would seem obvious. A business owner signs an NDA promising to protect sensitive customer information from disclosure to third parties. One would expect the owner to ensure that employees with access to the information would also be parties to the agreement or to a separate agreement covering all customer information.
But that isn't always the case. Some businesses sign these agreements at a high level and then hand the information over to employees who are under no obligation, untrained and may not even know the information is confidential.
Getting employees to sign an agreement is just one small step. Education is another, and that starts with policies and procedures for identifying and handling sensitive information.
Many businesses have nothing in place. For example, on many occasions I've witnessed employees of small businesses throwing copies of design drawings, quotes, purchase orders, sensitive correspondence and similar items in the trash, which was then deposited in an unsecured Dumpster.
Some reading this might think, "No one would really go through our trash." Guess again. I've had personal experience with more than one small business where competitors — in one case a former employee starting a business — obtained design information, pricing and customer intelligence from trash that should have been properly shredded.
Ironically, these things were discovered because employees of the competitors, who were in tight-knit industries, couldn't keep quiet about what they were doing. Sometimes lax security works both ways.
Handling of paper is one source of problem. Access to computers increases potential problems by orders of magnitude.
Employees often have too much access to information that isn't essential to their job functions. Lax enforcement of protocols, or no protocols, for saving all work to company servers rather than individual hard drives spawn all manner of uncontrolled files. Well-meaning marketing people post lists of key customers on the company website where competitors prowl. Passwords to sensitive programs and files are posted on sticky notes on cubicle walls.
Dealing with every issue relating to confidential information can seem daunting, but much progress can be made quickly with a simple step-by-step approach. It can start with a simple policy defining the categories or types of confidential information belonging to the company or its customers that must not be disclosed to outsiders and that should only be accessed by employees who have a need for it.
An attorney can draft a simple nondisclosure agreement for all employees to protect company information and also provide adequate protection for customers' confidential information. When these are explained and signed, owners can sign customers' NDAs knowing that all employees understand their obligations for confidentiality.
Those steps can be followed with a series of simple procedures for limiting access to paper and computer files, for storage of computer files on company networks and for safe storage of documents. Procedures can be written to cover in-process handling of documents and shredding and secure removal of confidential information when it is discarded.
Proper protocols for protection and periodic changing of passwords can be adopted. Audit schedules can be established to verify compliance with policies and procedures and to check hard drives, ensuring that software and files are properly saved on network servers.
This can be done in small steps over a period of months or even years. Every step is an improvement, beginning with the first policy written. The simple act of identifying information that must be kept confidential and explaining it to all employees while asking them to sign an NDA provides an instant leap in awareness and care. Each new procedure or protocol improves security.
Securing confidential information is critical. There is no better time to start.
Richard Randall is founder and president of management-consulting firm New Level Advisors in Springettsbury Township, York County. Email him at firstname.lastname@example.org.