Knowledge management: Portal for corporate espionage? Part 2—
Who spies? How can enterprises be knowledge-enabled yet knowledge-secure?
By Jason B. Lee and Aaron D. Rosenbaum
So who are the potential spies? Who is in a position to use KM as a gateway to the things a company must protect?
Employees: Anyone who has worked for a firm or is currently employed may be a suspect in the theft of critical knowledge and trade secrets. That includes temps, secretaries, even building maintenance, to say nothing of executives and technical experts at every level. Disgruntled employees who believe they have been done wrong may want to give away classified secrets to a competitor. Severed employees, or simply ambitious ones, may seek trade secrets to start their own company.
Competitors can and do employ double agents, people with access inside a rival company. Even scarier, your own employee may initiate the contact. If the competitor knows about the existence of a KM system—and how many executives like to talk at industry forums about their modern management techniques—then the proffer of intelligence is likely to be taken far more seriously.
High-level executives can pose a special problem, for they are apt to have access to system metrics, security reports and analyses of key learnings. They are the people most likely to elude or minimize security training and avoid oversight of their activities. And like salespeople, they are mobile. Non-compete and non-disclosure agreements, while essential, are imperfect instruments for protecting against the loss of head knowledge and derived insights.
Contractors, suppliers and joint venture partners: Those who do business with a firm come a close second to employees as the greatest internal threat. Many companies are (properly) using KM to involve ancillary players who contribute to their success. Participation in a joint learning exercise or a shared database can provide a point of access to contractors and subcontractors, consultants, accountants, attorneys, suppliers and joint venture partners.
For (mostly) better but sometimes worse, external partners are motivated in the same way as employees. They may not be security conscious, or may operate on a margin they feel justifies the use of any competitive edge. Some don't draw appropriate lines between similar clients. "Familiar outsiders" may face different or weaker security procedures, and some may operate on the assumption that the KM system to which they have access is not geared to lead back to outside perpetrators.
The most dangerous thing about external parties who are closest to the enterprise is that they do not have to steal something physical or transfer data to do damage. The knowledge in their heads may be sufficient. Management consultants, accountants and attorneys must be thoroughly familiar with the business to give advice effectively. Even if one trusts a contractor firm, the same faith cannot necessarily be placed with its individual employees.
Clients: The client always comes first! The customer is always right! Those may top the agenda in business school, but not in security school. Open KM systems create the opportunity to give clients too much information. In an effort to accommodate the needs and wants of clients, firms can give access to data and insights that a particular client—or any client—does not require.
How to determine that this much is too much? That in itself should be the focus of a community of practice. By definition, clients share the enterprise space with those who market to them. Some may be motivated by simple greed. But others may want to steal a client for another division of their company, or discover marketing plans or understand the client base. (How better to test the feasibility of a new venture?) They may want to know the consulting practices that distinguish the top producers, or use another company's research methods to train their in-house staff and so eliminate the need to purchase the services that brought them into contact with the company in the first place.
Hackers: The subject has been endlessly explored and deservedly so. IT systems are much more secure today than in years past, yet the value of corporate knowledge in a KM system can justify a long-term, concerted effort to penetrate it.
Hacking a KM system can mean gaining regular access and establishing an account that permits seemingly innocuous queries. Like legitimate users, hackers may be able to tap into proprietary information, strategies, plans and raw data. They may try to correlate odd bits to find heretofore unseen connections. They may penetrate the underlying software and look at search patterns, traffic flow, IP addresses and backups.
Like the first computer criminals who diverted unseen fortunes from primitive bank computers, KM hackers are aided by the sheer newness of their targets. Constantly on the edge of discovery, they explore--and exploit--rapidly changing systems, testing them no less assiduously than their designers. Hackers can do the tried and true--sabotaging systems and data--or they can operate more subtly, materially changing small details, not just in manufacturing secrets and software, but in tested algorithms that have been incorporated into the KM system. Properly executed, KM hacking can create problems whose full impact is not apparent for months, and which undermine the reputation of knowledge management within the corporation.
Imposters: Anyone can pose as a government inspector, a journalist or a computer repair tech, to say nothing of a consultant, a member of a tour or a job seeker. In a world where companies regularly hire former military intelligence operatives to approach the employees of their rivals and win their confidence, it is no great leap to recognize the threat of fabricated documents, badges and job histories. Spies know how to look like they belong, to roam through corridors and stroll into offices. Identity theft is a natural tool for imposters, who may steal the names of retired or deceased employees or "borrow" the identities of industry leaders. (How many executives know the faces or current employers of every speaker whose name they've seen in a conference announcement?)
The object may be entry to secure areas, discovery of passwords, undisturbed computer time or access to documents that can be quickly scanned or duplicated. Corporate security forces are gatekeepers; they are not passport control, and imposters good enough to be part of a sustained espionage effort are detail-conscious precisely because their employers demand nothing less. And if KM practitioners, often unappreciated, want to show off their systems to seemingly trustworthy outsiders …
So how to respond? A few essentials must form the core of any solution:
Design security into KM systems from the whiteboard stage. Security is not simply an "IT issue" or a problem of entry points and access. KM security also involves which learnings will be shared, as well as which data. System designers must think about the vulnerabilities of the underlying hardware and software and how the systems will perform. They also need to think procedurally: Who (what individuals, what offices, what corporate functions) will use the KM system? How will the system be used in the real world—which functions, perhaps surprisingly, may predominate? How might usage evolve over time? KM practitioners are not seers, so the whiteboard must remain active even after the system is up and running. That, too, is part of knowledge capture.
The classic problem for KM practitioners is that they talk mainly to other KM practitioners. The IT staff, up to the CIO, needs to be integrated into the KM effort from the start. Their participation broadens the base of support for KM in the company, averts territorial squabbles and deepens the skill set--which is the objective of KM, after all.
Identify who needs to know and reconcile that with the goals of KM. Companies need to decide—not just once but on a periodic basis—which employees, contractors or joint venture partners should have access to a KM system, contribute to it, and at what level. Sensitize those parties to your expectations of security awareness and the appropriate professional conduct in handling critical information. Hard and fast rules, or worse, a "you can't use it" exclusiveness, are counterproductive. By their very nature, KM systems are democratic and democratizing, valuing useful contributions, even if they emanate from unusual contributors. If collaboration is delimited by management fears of espionage, the enterprise will share little and learn less.
Secure the human element. That is the basic imperative of IT security and all the more important with KM. Participants need to be vigilant about suspicious behavior and encouraged to exchange ideas about what might compromise the system. Background checks and clearances may be advisable. High-level executives and outside users of the system, even big clients and attorneys, need to be looked at dispassionately.
Security is not just for line employees. Executives must understand that what they say at industry events may be especially damaging. Competitors are sure to be listening; more important, sharing too much detail about plans for KM, or the workings of a new KM system or specific lessons learned can compromise the company's interests for years to come.
Put software and systems to the test. Too often, KM practitioners are preoccupied with implementing their own designs or adapting off-the-shelf systems to in-house systems and practices. Most vendors are highly security conscious, understanding that strong protection is a positive selling tool, and vulnerabilities can mean death in the marketplace. Clients have every right to aggressively test third-party systems. But politically, that is never as simple as it sounds: KM advocates may feel they are undercutting their own position in the company if their security concerns call into question a key vendor or a KM design.
At some level, KM managers must conduct espionage against themselves. That is a variant of so-called ethical hacking. Systems need to be tested, but even more, they need to penetrated, and not just once, but on a regular basis. Think like a spy; that is the only way to identify weaknesses and create remedies. Managers should look closely at system usage, not merely a metric, but as a probe of which components are most used and most vulnerable.
Use the strengths of KM to strengthen KM systems . "Tacit-capture" KM enables companies to pool their skills and experience as well as their data. Communities of practice (CoPs) provide an ideal way to protect KM systems. Like a corporate risk committee, a CoP should be established to assess the rising value of knowledge concentrated in the KM system and how it might be accessed. Operators should support CoPs on system practices, such as codifying lessons and sharing information with customers; on best practices in hardening systems while maintaining system vitality; on emerging security challenges, such as IM and WiFi; on counter-espionage; and on the thorniest problem of all, the compartmentalizing of knowledge.
CoPs give context to knowledge and help embed best practices in the enterprise. Technology and software cannot substitute for sharing experiences and insights. Properly supported, CoPs can enable even small enterprises to sustain robust and secure KM systems. But companies that attempt a technology-only approach to protecting their KM systems will jeopardize their investments, and worse, the unique assets those systems connect and create.
Knowledge management systems are valuable precisely because they enable companies to "know what they know," concentrate it, extract insights, leverage them and put the results to use in new and responsive ways. That power makes KM equally attractive to competitors, hackers and common thieves. Securing KM systems without suffocating them is an unavoidable challenge, but an eminently worthwhile endeavor. At its heart, it is a learning experience for the sake of future learning--a textbook exercise in finding knowledge and managing it.
Jason B. Lee is a certified financial management analyst and managing director at Lee, Pirelli & Co., e-mail firstname.lastname@example.org. Aaron D. Rosenbaum is president of the consulting company CreativeKM (creativekm.com), e-mail email@example.com.