Confidentiality Agreements and Insider Threat Awareness

Recently returned from presenting training on insider threat at Black Hat, the idea of insider threats is on my mind. Couple that together with a few of my other favorite topics: communication and training…I thought about this idea of increasing insider threat awareness.

Confidentiality Agreements

Does your company or organization have one? How do you handle them? Hand them out. Have a short explanation. Direct your employees to sign with perhaps a few subtle threats thrown in? The intimidating legal language that few truly understand. The numerous potential consequences associated with none compliance.
The confusing legal language that few truly understand often make these documents quite intimidating. Employees can become fearful of the numerous potential consequences associated with a failure to comply.
Is your confidentiality agreement a really useful document?  Does it really assist in protecting company information?  Or does it only provide a legal and financial basis for a reactive response to an insider threat?

An Educational Approach

Is there a better way? I think there is. Can we turn the confidentiality agreement process into a valuable part of a program that truly protects company secrets? Yes. Let’s look at a few ideas.
Why not take the time in small groups to truly explain the document. Work through each part together, explaining the legal language and why it is there. Encourage questions and give thorough answers. Include reasons why the company has such an agreement and how it is to protect both company and employees. Give examples of how breaches in confidentiality have hurt companies. Help employees really see how it is not only in their best interest to protect company information themselves, but ensure others do as well.
Using this approach, your company may very well gain some important benefits:
1. Employees will more readily sign the document on sight. The group signing provides greater strength to the commitment. Gaining public verbal commitments at this time will also help.
2. You create a more cooperative air about the agreement, which reads much more like an adversarial document.
3. You begin insider threat awareness as part of the process and you set the tone for future training sessions that will continue to support and enhance the protection of company information you intended through the agreement.

A Better Way

Confidentiality agreements themselves will not protect company information. Those who decide to take company information will not likely be stopped by the agreement. They will either rationalize it away or simply believe they will never be caught. A complete program, including education, will provide a greater level of protection than any agreement on its own.
Don’t threaten your employees with confidentiality agreements. Make your employees part of a team that protects their own livelihoods through collectively protecting their companies information.
Be swift to hear and slow to speak,

Leave a Comment

Your email address will not be published. Required fields are marked *