Protecting Information: a cascading approach to information security Reply

There is no easy way to protect corporate information.  Protecting government information is easy because they have their own networks.  Life in commercial society is somewhat more different but if businesses follow these 6 steps they will be better off:

  1. DEFINE. Don’t protect everything.  It costs too much and it’s a waste of time.  Define what is intellectual property (patents, trademarks etc).  This is the stuff that (a) is legally protectable, and (b) it is what the market will pay for (i.e. it isn’t an intangible asset – it has dollar value).  Intangible assets which are collectively seen as valuable are classed as intellectual capital.  Everything else is either supporting information or junk.  
  2. DETERMINE.  Determine what goes where as part of your internal processes and workflows.  Remember, it gets used if it’s part of the workflow.  Proper IP should reside on closed systems with certain roles acting as guardians, e.g. in-house counsel, financial comptroller etc).  Intellectual capital, things such as frameworks, processes, analytical methods should sit on systems with role based access privileges  so that repeated access (e.g. for screenshots) is noted. Printing and downloading should be limited and part of a defined process.  Thin client technology helps but the most important means of guarding this stuff is to make it compartmentalised (i.e. various levels of decomposition etc) so that it’s hard to gather it all together it once yet easy enough to use as a reference tool for team use.
  3. DEVELOP.  Keep developing your intellectual capital.  It’s less worthwhile stealing information which is outdated.  Moreover, make sure that development is cross-functional and multi-disciplinary.  This is akin to holding the encryption key to your intellectual capital.  If only a few central people know how the framework all works together then even if it is taken by former employees they will, at least, be unable to build on it.
  4. IDENTIFY.  Identify the people who are going to access this sort of information.  Now build these roles and enforce them with internal business processes and physical security measures to make this work.
  5. INSPECT.  Tag your information and gain access to employee hard drives.  There is no way around it.  Be subtle about how you approach knowledge workers and develop socially enforceable norms around the use of corporate proprietary information.
  6. INVEST.  For intellectual capital works invest in a great means of display.  If you’re afraid of other firms ripping of your frameworks or processes then get a graphic artist to create excellent visual representations.  Then you can protect that image through contracts with employees and clients.  Any use outside of your parameters can be met with a solicitor’s letter.

Most importantly, invest in your people and invest in the development of new knowledge.  If they want to take it, they will but nothing secures information like happy employees and few will want to steal outdated information which they can’t build on.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s