Leak of commercial information
The value of commercial information in a competitive environment is difficult to overestimate. Possessing such information and organizing its adequate protection, companies manage to occupy a niche in the market for goods and services. And the use of closed information allows you to win the competition and take the place of the leader.
However, some companies still do not understand the need to protect business information from leaks. This mainly applies to private entrepreneurs and small companies. Large corporations have long taken measures to comply with the trade secret regime and protect classified information from the illegal actions of competitors and insiders.
Trade secret concept
A trade secret is business information that is of real or potential value to the company for financial reasons. Once such information falls into the hands of competitors, it becomes a source of improper commercial gain. Leakage of information containing business secrets brings losses to the company, and sometimes even causes bankruptcy.
The material expression of a trade secret is secret management, production, technical and trade information, documented.
In the context of market interactions, the relationship to information is similar to the relationship to products. It is protected from unauthorized access, used as a weapon in the competition, and also to increase income. The administration of the company is obliged to know the specifics of the creation, processing, storage, use and transmission of information containing commercial secrets.
The exact list of confidential information is established by the head or owner of the company.
The Federal Law "On Commercial Secrets" legislatively enshrined the list of measures necessary to protect confidential information. However, in reality, the measures listed by the law are not enough to prevent leaks of commercial secrets. Therefore, each company develops and implements its own measures (legal, organizational, technical) to prevent leakage of confidential information.
Despite the complaints of entrepreneurs about the high cost of the security system for confidential information, there are a number of protection methods that do not require large financial investments.
Major leakage channels
On the basis of social research, the main channels of leakage of information of financial or commercial value to the company have been identified.
First of all, a threat to the security of confidential information is presented by means of communication with contractors - telephone, e-mail, fax and mail. The options for information leaks through these channels are as follows:
- during a private conversation on the phone, an employee may inadvertently disclose information containing trade secrets. Or competitors will deliberately intercept telephone conversations for the purpose of industrial espionage;
- by mail (electronic, regular or facsimile), an employee may mistakenly transfer classified information to a person to whom it was not intended. However, such cases are the exception to the rule. Facsimile communication is the most secure means of transmitting information;
- e-mail is less protected from illegal actions, since the transmitted information is stored on two e-mails - from which it is sent and to which it is sent. And a large number of staff have access to corporate e-mail. For unauthorized access, it is not necessary to know the password, it is enough to spy on it when entering it or use an open e-mail while the user is away;
- during the forwarding of postal letters, they can be opened and read by persons to whom they were not intended.
The channel of unintentional leakage of information can be served by its disclosure in the media - in newspapers, on radio or television. Such disclosure occurs unintentionally due to excitement and inability to selectively communicate information.
Leaks of commercial information occur during the transportation of products or their parts, as well as technical documentation containing confidential information. The transported cargo can be stolen or lost, as well as delivered to persons who are not the addressee.
Industrial espionage by unscrupulous competitors includes the installation of wiretapping equipment to obtain information announced on the territory of the company - in the office or in the shop. Video equipment is also used to collect information.
Insiders are the most dangerous leak channel. The staff of the company owns a large amount of information regarding the employer, including those related to trade secrets. Information leaks occur both during cooperation with an employee and after his dismissal.
The inclusion of information of commercial value in the annual report, the disclosure of which is not required by law, is another reason for the leakage of confidential information.
The company's work process is associated with interaction with counterparties and the signing of cooperation agreements. During negotiations, when signing agreements, as well as during their execution, commercial information is provided to the counterparty. Failure to dispense such information will result in leaks.
Another channel of leakage is the provision of confidential information to state or municipal authorities in accordance with Article 6 of the Federal Law "On Commercial Secrets". Employees of government agencies or the municipality, using their official position, disclose commercial information, and it is extremely difficult to prove the fact of a leak with their participation.
Preventive measures to protect sensitive information
In accordance with the Federal Law "On Protection of Commercial Secrets", the following is necessary for the safe storage and use of classified information:
- isolation of information constituting a commercial secret;
- creation of personalized access to obtaining such information;
- prescribing an agreement on non-disclosure of classified information in labor contracts with employees and civil law contracts with contractors;
- marking with the stamp "For official use" of material carriers of information.
When creating a comprehensive protection of confidential information, two aspects must be taken into account:
- The information security system should, if possible, exclude the leakage of commercial information and minimize the company's losses.
- This system should not interfere with the functioning of the company.
To prevent data leakage when interacting with counterparties, the procedure for transferring classified information is prescribed. For this, an internal document (order) is issued on the rules for interaction with counterparties. The best solution is to personally hand over business documents. Also, such an order provides for a ban on telephone conversations with the disclosure of classified information. Such issues are resolved in personal meetings.
Additionally, an employee is appointed responsible for the delivery of documents, products, spare parts containing classified information to contractors. This measure allows you to monitor and analyze relationships with counterparties.
The technical measures include setting at each workplace (PC) a personal password for logging into the system, which is known only to the employee working at the computer. This excludes unauthorized access to corporate e-mail of personnel who do not have such a right. Additionally, a password is set for forwarded messages containing confidential information.
Cooperation negotiations are carried out by telephone or videoconference in a room with controlled access.
All documents that will be made public by publication or announcement on the air of a radio or television studio are agreed with the head of the department or company, in order to avoid disclosure of confidential information. This procedure is also prescribed in the internal order.
The order of approval is also prescribed in detail. If the company is small, the manager independently checks all published documents for commercial information. If such publication takes place in a large corporation, examination of the documentation is carried out by a specially created commission or a designated employee responsible for maintaining trade secrets.
The technical equipment of the company, as well as internal video filming, will help neutralize the listening equipment.
The next link in preventive measures to protect information is organizational measures. These include:
- access control for entering the territory of the company;
- holding meetings and negotiations with partners in specially equipped rooms protected from audio and video recording;
- ban on the use of mobile phones during meetings or negotiations.
Additional insurance against the loss of classified information - signing an agreement on non-disclosure of commercial secrets with a dismissed employee, according to which the former employee undertakes not to distribute commercial information within a prescribed period after the termination of employment An employee is entitled to a monetary reward for signing such an agreement. It is extremely difficult to prove the fact of disclosure of confidential information by a former employee of the organization, therefore material motivation is advisable.
Establishing secrecy levels of information depending on possible damage is another method of preventive fight against leaks. The optimal solution is three-level access to classified information: top secret, high-security, high-security. In accordance with the secrecy levels, the levels of personnel verification are formed to provide access rights, as well as a monitoring system for the work of employees with classified information.
The work of employees of partner companies is carried out under control. They are given the right to familiarize themselves with the documentation in respect of which an agreement has been reached. Thus, the responsible employee of the receiving company checks with the employees of the partner organization the authority to familiarize themselves with the information and the compliance of the requested information with the previously reached agreement. After the verification, the employee of the partner company receives admission. The fact of obtaining access, familiarization, as well as the list of documents are recorded in an act, which is signed by both parties.
To prevent information leakage during the submission of the company's public reporting, for example, the annual report, you should:
- generate reports based on information required by law;
- coordinate the submitted report with the company's management.
Increasing the investment attractiveness of the organization will help a larger amount of public report data. In such a situation, it is recommended to introduce a multilevel check of the generated report to identify information constituting a commercial secret.
Refusal to provide state and municipal authorities with information constituting a trade secret entails the responsibility of the company. And the information is requested by a court decision. In addition to state and municipal authorities, the court, inquiry and investigation bodies in relation to cases that are in their proceedings have the right to request confidential information.
Information is provided to government agencies in response to a reasoned request (indicating the goals and legal justification for its direction), signed by an authorized official.
When preparing a response to a request from a state or municipal authority, the rules established by law should be observed:
- The prepared answer is marked with the "Commercial secret" stamp.
- Government agencies that have received information are obliged to ensure its safety and are not entitled to disclose information without the consent of the company that provided it. An exception is information received by the Ministry of Internal Affairs in the framework of a criminal investigation.
- For the disclosure of information constituting a commercial secret, officials are held liable.
Technical measures to protect confidential information
It is impossible to create secure conditions for storing and transmitting confidential information without modern software. To protect databases, DLP systems are used (in translation from English Data Leak Prevention - prevention of information theft).
Modern DLP systems are the best preventive measure against leaks of commercial information. The operation of such a system is based on the creation of a secure information space, in which outgoing and incoming correspondence is monitored and controlled (Internet traffic, documents that go beyond the protected space on external media, printouts on printers, transmission to mobile devices).
The DLP system determines the level of confidentiality of documents in two ways:
- By monitoring markers pre-applied to documents. This technique has its drawbacks. When the document format is changed, the marking disappears.
- Analysis of the document itself.
When choosing a DLP system, you should consider what will be more profitable - to buy an inexpensive product that requires the constant presence of the provider's specialists, or more expensive software that works autonomously. It is worth considering that the labor of IT specialists is not cheap. When launching and configuring the protection system, it is recommended to eliminate as much as possible IT-specialists from contact with commercial information that the company is trying to protect.
A detailed analysis of the main channels of leakage of commercial information allows us to conclude that they bring significant damage to the company's activities. And the measures prescribed in the Federal Law "On Protection of Commercial Secrets" cannot fully ensure the security of information.
Therefore, in addition to legislative measures, organizational and technical measures are carried out, developed by practice in the field of creating and maintaining cybersecurity. The main condition for the successful protection of commercial information is the implementation of a set of measures aimed at neutralizing the channels of loss of confidential information and preventing new leaks.