Baldrige for Detection and Prevention of Corporate Espionage

Sitting deep in the basement of the FBI in Washington, D.C., reading the personal files and dossiers of J. Edgar Hoover, Donald Fisher became fascinated with intelligence and organizational security. Fisher, one of the first researchers at the FBI approved under the Freedom of Information Act, could see the importance of organizational intelligence because so many organizations had been so easy to infiltrate.

Today, such infiltration often takes place in the world of cybersecurity and big data. But what can be done to stop corporate espionage and the risk that the proprietary and confidential information of U.S. organizations can be so easily laid bare by hackers, some allegedly linked to foreign governments?

Fisher, who is chief executive officer of the Mid-South Quality/Productivity Center, may have an answer.

“Why not use the world’s greatest criteria—the Baldrige Criteria—to do self assessments?” he asked. “It just seemed logical.”

According to Fisher, organizations need to look at protecting their copyrights, trade secrets, regulated information (e.g., patient data), FDA scores, and other classified information; to identify risk; and to look at data security, asset management/control, the business environment, training, risk assessment, information protection processes, protection of technology, and strategy. Then they need to ask themselves about security, continuous monitoring, and detection processes. What’s in place? What’s not in place? What kind of response do they have inside the organization? What are the ongoing security issues? What about response/recovery time and communication with employees, customers, and vendors? Analysis and process improvement are also key, he added.

Luckily for organizations, all of these areas are covered in the Baldrige Excellence Framework and its Criteria.

“The idea is that a lot of espionage does happen internally,” Fisher said. “I think that every organization ought to develop an in-house assessment team using the Baldrige Criteria to look at all of these areas of an organization. . . . Everything really that the Baldrige Criteria asks for they should be looking at.”

Fisher, who has completed over 200 Baldrige-based assessments around the world and in various industries, including education, said a lot of security breaches are internal, with companies losing their intellectual capital, copyright protection, and patents. Often these companies, and especially Fortune 500 companies, hire external experts to come in and do a security assessment, but this really should happen internally by the people who are most knowledgeable about the data and most impacted, he said.

Fisher’s research outlines the need for organizations to develop corporate intelligence plans to look at sustainability, especially in regards to financial assets, environmental initiatives, and social assets. A Baldrige-based security self-assessment would help organizations put their “arms around how effective or not effective [and what are the] holes in your intelligence apparatus and inside your organization.” And an in-house assessment team gives you freedom to work together holistically, said Fisher; espionage might not be as easily discovered by a third-party expert who would not know the corporate culture.

“Security is the competitive edge in any organization no matter how small or how large. Keeping your corporate secrets secure is always very high on any business’ list,” Fisher added. “[Release of] confidential information can hurt you competitively as an organization.”

When completing an assessment of an organization, Fisher said he uses the Baldrige Criteria to look holistically at what types of processes the organization has in place. He looks across all of the categories and items of the Criteria to see where the organization might have opportunities to address. For corporate sustainability, he even developed a corporate intelligence security index that aligns the Global Reporting Initiative’s (GRI’s) index with the Baldrige Criteria. Fisher said a self-assessment team needs to look through the Baldrige items and take an inventory of the organization’s information, including what information must be kept private.

“When doing an assessment, I always look at corporate intelligence because I see that as a competitive issue. . . . A lot of innovation is tied into corporate intelligence. Innovation is a big business,” he said. “I try to think of things that if I was a CEO, I would want to protect to be competitive.”

Fisher, who was featured in a Memphis, TN, Commercial Appeal article for his research on corporate espionage, applauded the Baldrige Program and its parent the National Institute of Standards and Technology (NIST) for its work on cybersecurity. Two years ago, NIST developed the Framework for Improving Critical Infrastructure Cybersecurity, and the Baldrige Program is now developing a self-assessment tool, aligned with the NIST cybersecurity framework, for organizations to assess their risk management programs.

Said Fisher, “It’s a good time to look at aligning NIST’s standards in the intelligence area with the Baldrige Criteria. . . . I’m excited about Baldrige cybersecurity efforts in self-assessment.”

Organizations need to keep a watch on who can access their information, said Fisher, as a lot of information available to the public can be used for espionage. For example, hackers can access phone lists, organizational charts, office and public policies, annual reports, and marketing campaigns, as well as the specific names and contact information for board members and the people who maintain financial data.

“A lot of this [information] opens the door for this kind of infiltration,” said Fisher. “These are things that make an assessment aligned with the Baldrige Criteria very important.”

Fisher noted that the security of vendors and customers should also be of concern to organizations, because a lot of information, including confidential information, is often shared with them. To combat this, he developed a Baldrige-based security assessment for vendors and customers that helps to align intelligence apparatuses and assists the third-party organizations in developing their own corporate intelligence plans.

“This keeps everybody aligned,” said Fisher. “Aligning your cybersecurity with intelligence among your vendor network . . . and some of your key customers is critically important.”

Has your organization considered the Baldrige Criteria to assess risk and the threat of corporate espionage?