It is something that few senior managers spend much time thinking about – until it happens: The dreaded “leak.” It seems that every week the media are either displaying documents that have been leaked to them or commenting on “inside” information that was provided to them.
It is a well-known fact that leaks are sometimes executed for strategic reasons, better known as trial balloons. Most leaks, however, are the result of carelessness, technological glitches or an employee’s wilful desire to provide sensitive information to outside sources. No matter what the cause, managing the crisis that results from an unauthorized disclosure takes its toll on the organization and its employees.
Technological glitches may be difficult to foresee; however, the human factor is an area on which senior managers can have some influence.
As stated, there have been cases of leaks that have been the result of employees who, either by ignorance of security protocols or downright carelessness, inadvertently disclosed their organization’s sensitive information. An organization that has detailed security protocols that are communicated to employees regularly through information sessions and reminders will mitigate the chances of disclosures taking place by creating a “security consciousness” within their workforce.
The situation where an employee wishes to deliberately disclose information, whether for idealistic or for other personal reasons, is more difficult to prevent. However, recognizing certain pre-existing elements in your environment can help a manager prevent this type of unauthorized disclosure. Knowledge of the human psyche is an important component of the manager’s toolbox.
Dr. Donald Cressey, a world renowned criminologist, conducted a study on why someone in a position of trust would commit acts that would violate that trust. His research concluded that there were three factors which needed to be present for someone to commit a fraud or other wrongdoing. These three factors, widely known as Cressey’s Fraud Triangle, are: motive, opportunity and rationalization. This model, recognized by the Association of Fraud Examiners (ACFE), has proven itself to be a reliable indicator of conditions that need to be present in occupational wrongdoing situations.
An employee may be motivated by many factors to intentionally disclose sensitive information. The most common are financial hardships, ideological differences and work-related dissatisfaction. Employees going through financial hardship will rarely share their situation with colleagues, but there are often subtle signs that show that an employee is struggling with a problem. Certain behaviours such as isolation, depression, emotional outbursts or absenteeism can be indications that a co-worker is dealing with some type of personal burden.
The opportunity factor is directly related to the access that an employee has to sensitive information. At the conclusion of an investigation into an unauthorized disclosure, many senior managers will comment that they were surprised to learn how many employees had access to the disclosed information. Restricting access to sensitive information and strong control mechanisms surrounding the accessibility of this information will reduce the risk of both inadvertent and deliberate disclosures.
Rationalization can be described as the employee’s ability to “negotiate” with their conscience on the actions they are considering initiating. The stronger their motive, the easier it will be for them to rationalize their decision.
Though having strong written procedures related to the access and control of sensitive information is an important component of preventing unauthorized disclosure, these measures will be successful only if they are parlayed with strong leadership that communicates its commitment to the security of the organization’s information. The “tone at the top” is the organization’s most powerful communication tool. If the employees observe that security is important to their leaders, it will become a priority for them, too.
In today’s environment, where many government workers are experiencing stress and insecurity related to their employment, an employee’s loyalty to their employer will be put to the test. As a result of this situation, the factors in Cressey’s model will be more prevalent in the workplace, thus rendering organizations more vulnerable to unauthorized disclosures. Implementing better controls and having one’s “ear to ground” will protect your organization from being victimized by these types of incidents.