Avoiding an Assange

As governments scurry to tamp down document dumping, business can do plenty to protect against it.

By DAN REYNOLDS, senior editor of Risk & Insurance®

There have been times when the risk management mantra, "You can't manage what you can't measure," has caused verbal eruptions of sorts.

Supply-Chain Risks Increasing (04/12/13)
Financial Services Risk Report Table 2011 (08/01/11)
Media (06/01/11)
Most Dangerous Risks 2013 (04/12/13)
A Law Enforcement Tequila Sunrise (05/31/11)

Some risk managers fume at this assertion, of course, saying there are immeasurable categories of risk. To avoid corralling a risk because you can't measure it is lazy, or worse, a folly, these risk pros maintain.

Fair enough. But we might also want to accept the idea that you must at least try to measure areas of risk that at first glance seem daunting, like the activities of the alleged spiller of secrets, Julian P. Assange, co-founder, director and editor-in-chief of WikiLeaks.

Assange has the U.S. government reportedly rustling up a grand jury to charge him with something, given the fact that U.S. Department of Defense memos and other documents are winding up in the hands of the public. It has also been reported that narrow interpretations of First Amendment protections are driving government whistleblowers from the courts and into Assange's arms.

Businesses have plenty in the Assange-WikeLeaks story to keep an eye on.

Companies would be well advised to determine exactly what kinds of data they have, how sensitive they are and where they've got them stored, experts said.

Employers would even do themselves a big favor if they did a little digging to find out more about the character of the employees who have access to it, said Jim Whetsone, a U.S. technology and privacy manager for Hiscox, in e-mailed responses to questions from Risk & Insurance® .

"I am surprised how often we talk to companies that have not created a data map and data flow of the information in their organization," Whetstone said.

In many companies employees have access to far more sensitive information than is necessary, he said. So, the task is to classify how sensitive data are, how they are to be secured, and who and how many people should have access to them.

When we talk about who, that means companies should be able to conduct criminal background and credit checks on employees who are being entrusted with sensitive data, trade secrets and the like.

Whetstone's colleague, Doug Karpp, the U.S. crime product manager for insurer Hiscox, said that companies can also help themselves by creating a better information loop in the case of employee complaints.

If an employee alleges fraud or malfeasance on the part of the company, senior managers or a co-worker, the company should investigate the allegation thoroughly and report back to the employee what they found, and not give the employee the tumbleweed treatment once they've piped up.

"This will hopefully prevent an issue from escalating into a 'document dump,' " Karpp said in e-mailed responses.

"If you assume all companies have some potentially malicious or inadvertent 'leakers,' the defenses against this again tie back to classifying your data based on its sensitivity, increasing protections around the data based on sensitivity and restricting access as the sensitivity increases," Whetstone said. "From there, monitoring the access and use of the information is also important."

December 21, 2010

Newsletter Sign-up