By Heloísa Ribeiro * and Pamela Passman **
New information technologies have brought several benefits to companies, such as the ability to easily generate, share and transport data. This has been one of the drivers of productivity gains in several segments. There is, however, a downside to this story. Increasingly, companies are subject to huge losses from theft or voluntary destruction of valuable confidential data.
Cybercrimes, as they are called, have not received due attention in most organizations. Many still believe that the main threat lies outside the company. Bandits hi-tech would be primarily responsible for breaking into systems and stealing data from companies. In fact, this type of crime exists and usually gains great repercussion in the media. A recent case involved Sony Pictures of the United States, invaded by hackers in what would be a reprisal against the film The Interview, which caricatures the president of North Korea. They stole and posted contracts with celebrities, business plans and other documents on the Internet and destroyed numerous data files, causing great financial and image damage to the company.
But these high-profile crimes represent only part of the problem. Most of the time, theft occurs within the company itself or through business partners. As many companies do not even realize that they were robbed and others, upon discovering the crime, avoid disclosing the case so as not to expose their weaknesses, the problem does not appear to the extent it should.
To help Brazilian companies deal with this threat, the ETCO-Brazilian Institute of Competitive Ethics and the Center for Responsible Entrepreneurship and Commerce (CREATe.org) signed a partnership to address the issue. One of the main objectives is to increase the level of knowledge of Brazilian companies about the origins of the problem.
One of the most common causes is related to permissions to access information. Many companies do not take appropriate steps to limit the type of data that each employee can view or copy. A recent study carried out in the United States by the Ponemon institute, which specializes in the subject, showed that 71% of employees of American companies believe they have access to data that they should not, such as customer records, contracts and files with intellectual property.
Professional mobility is another component of the problem. In today's globalized economy, professionals from various segments have many opportunities to change jobs or even countries. It has been increasingly common for stories of employees who leave the company carrying hundreds of computer files with the intention of providing them to competitors.
A recent story took place in South Korea, where a senior automotive engineer at Daewoo Motors was convicted of handing over sensitive documents to a competitor in China. The documents contained details of safety and performance tests on technologies developed by the South Korean company.
Often, the problem occurs due to a lack of awareness about the value and confidentiality of information. The survey by the Ponemon institute showed, for example, that 76% of professionals have no problem downloading confidential company documents on their personal computers and cell phones or storing them in the cloud, attitudes that open the company's doors to data theft.
Another common way of leaking this information happens when employees, suppliers or customers install programs on the company's computers. Often, without knowing it, they end up using pirated software containing malicious code that invades the company's systems in search of valuable information.
LACK OF TRAINING
Few companies adequately convey their expectations regarding the confidentiality and security of information to employees and partners. Fewer still take care to monitor whether the appropriate procedures are being adopted. It is not surprising, therefore, that many employees fail to take the necessary precautions to protect the company's intellectual property or prevent cyber attacks.
Clearly, the threat from insiders cannot be remedied through old protection systems. It requires a multi-faceted solution, a proactive approach involving IT, but also security procedures, drafting terms of conduct, training and supervision. These measures need to be based on a careful analysis of where the company's most valuable information is, be it consumer data, trade secrets or other forms of intellectual property.
The system to protect the company from internal risks must be balanced by the need to facilitate the work of the vast majority of employees and partners who act correctly. The globalized and digital world provides unprecedented opportunities. But taking advantage of them requires taking the necessary steps to minimize the risks. Adopting a systematic approach - with specific strategies to avoid losses to internal personnel and plans to protect against external invaders - is the best and most effective way for companies to compete in an increasingly unstable and challenging business environment.
* Heloisa Ribeiro she is the executive director of ETCO-Brazilian Institute of Ethics in Competition.
** Pamela Passman he is president of the Center for Responsible Entrepreneurship and Trade (CREATe.org).