06
/04
Corporate business security. Why do we need it? Does business really need it?
Corporate security. In recent times, we tend to hear about it more often at various levels: business forums, conferences, social media, mass media, etc. Why does this happen? The answer is obvious: the business activities’ environment, both internal and external one, changes very quickly today, and cyber attacks not only on private companies but also on entire state institutions have become regular. The whole world is becoming more global, and competition is happening literally on all fronts: personnel, information, ideas, technologies, market outlets, resources, finance, etc. The international scandal about possible interference of the Russian Federation in the US presidential elections alone is enough. Another resonant example is closer to the Ukrainian reality: the Petya-virus cyber attack in June, as a result of which, according to experts, the Ukrainian state and business alone suffered losses of several billion hryvnias. Unfortunately, many Ukrainian entrepreneurs are still far from understanding that the proper building of the corporate security must occur simultaneously with the launch of the business itself. We are going to consider some example of real-life cases to see the possible negative consequences for the business if we do not build effective corporate security. For example, a disloyal employee works of Company Y (or he has been recruited by competitors, law enforcement agencies, security services of foreign states, etc.) and steals a .pst file with the email from the Company. Then he uses not that complicated technical counterfeiting and manipulations to make a lot of changes to the metadata of the stolen .pst file and correspondence of the Company’s employees. We all remember the famous phrase with a comma, “Execute not, pardon” or “Execute, not pardon,” the difference in the meaning being huge because of only one comma. After all, an email, in fact, can contain commercial information, confidential information, a personal one, and even a discreditable info, and if you just “decorate” it all with a couple of hundred fake letters, compromising the company and its employees, you can easily begin to blackmail it or simply cause the company significant damage right away by sending such a falsified file to the right addressee (a competitor, the relevant authorities, media, etc.). The damage can be of various nature, but in the end, it usually leads to very serious financial losses for the business. Let’s take one more case of practice. A company does not sign an agreement with its key employee (a manager of a department), in which he undertakes not to compete with his company for some time (at least for twelve months) after being fired, not to hire its employees, not to work with its clients, etc., and in case of violation of these obligations, he will bear significant material liability to the company. What are the possible consequences of not signing such a non-competing agreement? The employee leaves, and a few months later, it turns out that he has already registered his own company to which he transferred contracts with the clients he followed up while working for the company, but these were the clients of the company he worked for (its assets); another month later, he lures the employees of the company he has worked for that he wants to lure (the company’s assets as well) and in this way, he can lead a whole line of business away with him, which has still brought profits to the owners. Here is another example of how easy it is to harm a respectable businessman if there is no corporate security. A counterparty is designated for a decent and law-abiding businessman with a goal to deceive him into parting with his money or even take away his business; it looks like a normal company by common signs, but in fact, it is a company operating or having business connections with the DNR or LNR companies. Thus, having failed to properly check its counterparty, a normal businessman and his top management can become accessories to terrorism with the expected results for their business. And that’s just in some words. We can provide plenty of examples of large and system companies failing to properly build the corporate security system which has resulted in losses of varying degrees of seriousness, and not just among domestic companies, but among the biggest and well-known companies in the world as well. Now, a scandal is unfolding about the illegal transfer by the Facebook Company of personal data of 50 million of its users to third parties. According to the estimates of financial experts, this has already resulted in a loss in the value of Facebook shares and a drop in its value by tens of billions of dollars. We can only guess what the final consequences of this scandal for Facebook can be. Of course, we understand that companies like Facebook certainly have the highest-level corporate security system, but at the same time, there are reports in the media that their Corporate Security Director has not been dismissed but rather sent in his resignation because the Company had ignored his recommendations and instructions, resulting in such effects. Therefore, it is equally important not only to build a corporate security system but also to follow it. Some may argue that corporate security is expensive, and your financial capabilities are limited. To which I will respond with a citation of a famous Indian thinker and the Integral Yoga teaching originator Sri Aurobindo, “If a great goal is before you, and your capabilities are limited, act anyway, for it is only through actions that your capabilities can increase.” If I convinced you to consider building a competent corporate security system in your company, let’s figure out where to start. First, you need to define a security object. The security objects can be: Finance Staff The reputation of the owners, top management, and the company itself Assets Technologies and business processes When building corporate security, it is equally important to understand the types of threats that exist. These can be roughly split into four main types: Permanent Temporary External Internal So, if we have decided what we have to protect and from which threats, our next step is to determine who will build our company corporate security system. The first option is providing the security by the company’s management or a safety committee, or security council started by the company itself. The second option is building the security by an external organization (security outsourcing). The third option is a mixture of the two above options. Every entrepreneur must decide for himself which security option he finds the most correct and providing the necessary result based on a number of factors, such as security facilities, his internal human capacity, financial possibilities, the scale of corporate security, etc. In my opinion, quite reasonable option for business is a mixed one, when part of the security issues are dealt with inside the company, and the other part is entrusted to an outsourcing company. It seems logical to outsource the following tasks: The establishment of cyber and IT security systems Conducting an audit of corporate security or its separate directions Independent consulting on corporate security Legal protection of business (involvement of lawyers and legal organizations) Creation of the regulatory framework of the company that regulates its security The interaction with state and law enforcement bodies coordinated with the head of the safety committee on issues affecting the company’s security It is recommended that the internal safety committee be entrusted with the following issues: The interaction with state and law enforcement bodies coordinated with an outsourcing company on issues affecting the company’s security Organization of works on creation of corporate security Monitoring of the implementation of the company’s regulatory framework governing its security Coordination of the company’s staff and divisions’ actions on providing security Interaction with outsourcing organizations that provide corporate security services Organizing protection of confidential information Current maintenance of technical means of safety and security Research and information work to ensure the company’s safety Analyzing the financial activities of the company in order to prevent and spot unlawful actions that are detrimental to the company’s interests (theft, kickbacks, fraud, baksheesh, etc.); Conducting activities aimed at ensuring the company’s personnel security Conducting internal audits on the facts of committing unlawful acts by the company’s personnel Consulting and providing recommendations to the company’s management and personnel on security issues And if you are still asking yourself the question “Is it worth spending resources on corporate security?” my answer is unambiguous, “IT DEFINITELY IS.” An American diplomat and writer James Russell Lowell said more than a hundred years ago, “Not failure, but low aim, is crime.”