Senior Vice President, Chief Information Officer
Keeping a Lid on Corporate Confidentiality
The recent US-intelligence document leaks originated with a 21-year-old who shared classified documents on a gaming site. When the news of the leaks came to light, leaders everywhere took a deep breath and thought, Could such confidentiality be breached in this organization?
Yes, it could. Nearly half of US companies experienced a data breach last year, and over 8 in 10 of those leaks involved an employee error. The stakes are high, and experts say that leaders need to manage the situation. “If not, they risk a calamitous event that exposes the company to almost unthinkable losses,” says Brandon Johnson, chief information officer at Korn Ferry. Those losses can be both financial and reputational, and they can impact the company’s ability to function.
Leaders particularly have their eye on Gen Z employees, who spend an average of 4 hours per day on social media—where leaks can inadvertently occur. But many employees of all ages receive confidential information online, often while working remotely. They’re able to spread information online more easily than ever. At most companies, cybersecurity concerns fall under the purview of a corporate information team, such as the office of the chief information officer or the security department. Experts say that this is a mistake. “Cybersecurity is the responsibility of first-line supervisors,” says David Vied, global sector leader for medical devices and diagnostics at Korn Ferry. “Ninety-nine percent of the time it’s reminding employees to not do dumb things.”
Document security is already a part of many corporate annual trainings. Employees at these sessions learn, for instance, not to view confidential information on a laptop screen that’s visible to other airplane passengers. They’re advised on how to react if they see a coworker photocopying sensitive documents. Managers impart common-sense knowledge, such as the fact that corporate software often tracks the information employees access, or that chatting about confidential information can put coworkers at risk of accidentally sharing that information with other clients or colleagues. The purpose of this training is to prevent people from making errors out of ignorance.
While this training is valuable, its impact will be limited, says Maria Amato, senior client partner in Korn Ferry’s Organizational Strategy practice. “You cannot train motivation or the desire to do the right thing,” she says. Experts say that values such as integrity are best hired for. Managers can, however, be trained to understand and screen the motivations of their employees. “A manager might notice someone with access to confidential information and a desire to increase social standing,” Amato points out. Regular check-ins can also help managers to gauge employees’ morale and attachment to the organization. Over time, these interactions can be just as powerful as formal data privacy and security training. “It’s making sure that you understand where your people are coming from,” says Michelle Seidel, senior client partner in the Global Technology practice at Korn Ferry. “Disengaged employees are more likely to take retaliatory actions, which can lead to these kinds of leaks.”
For more information, contact Korn Ferry's Risk Management practice.