Keep Your Business Information Quiet: Loose Lips Sink Companies

We have this idea that computer hackers are ingeniously bright people. We hear stories, true or otherwise, as to how they seem to finagle valuable information from us, using the most sophisticated social engineering techniques. In reality, they often use such tricky questions as, “I’m calling from the IT Department. We’re doing some system checks on your T-3 line. I’ll need to reprogram your current password with a new one. You’re using the one that’s all letters, right?”

And so we dutifully comply with what seems to be a reasonable and logical request from some resident authority figure who surely has our best interests in mind. Often within minutes, we will reveal confidential company or personal information, over the phone, or through an email reply to a complete stranger who talks or writes a good line.

Reading all this and reflecting on your own sense of eternal security vigilance, you’ll swear that you’d never give out a byte of confidential or important data, over the phone, across cyberspace, or even face-to-face. Your motto is: “Hang me up by my thumbs for a week and I still wouldn’t even tell you my first name.”

And all this may be true when you believe the information requester may be a wolf in sheep’s leggings, but how about when the asker-to-be is from your local or national news media? Are you still tight-lipped and careful, or do you get caught up in the glow of the First Amendment’s pad and pen, the video camera, or the microphone? It’s hard for even savvy security professionals not to spill some beans when faced with the often flattering request for information and a chance to demonstrate subject matter expertise.

But just as loose lips sink ships, the desire to provide information to the media must be measured by the impact, or more accurately, the harms a few words or figures can betray.

Several years ago, the Business section of the Orange County (Calif.) Register, featured a two-page photo spread on the history of the Southland Corporation’s reason for being: the 7-11 store. Along with a history of the Big Gulp business, the piece featured an interview with Anaheim 7-11 franchisee Herb Domeño, owner of nine stores, including the site at Katella and Harbor. For those not familiar with southern California real estate, this prime property is directly adjacent to an Enchanted Kingdom knows as Disneyland.

Back then, Mr. Domeño’s stone’s throw-to-Disneyland convenience store boasted the highest sales volume in the country – an average of $3 million per year, clearly above the national sales-per-store average of about $1.3 million per year.

Taking out our trusty calculators, we could have determined that, give or take some up or down days in the boom-boom 1990’s, Mr. Domeño’s enterprise took in about $8,000 per day.

And how did we discern this figure? It’s easy to uncover, especially when the $3 million sales amount is featured boldly in the photo caption of Mr. Domeño in his cash-cow store. (By the way, the new national sales record for one 7-11 convenience store belongs to the folks running the show in Southampton, NY.

So what has the Orange County Register just told every enterprising convenience store robber who can read? This place is full of cash and even if they aren’t cleaning up like they did before Disneyland closed a nearby parking lot to make room for its California Adventure addition, Mr. Stickup Artist has to believe it’s worth a shot.

Even if the daily revenue figure is adjusted for slow days and customers who pay with debit or credit cards, it’s still a substantial amount of cash that is either on the premises or being moved, via some safe means we hope, to the bank.

In times of organizational crisis, it’s wise to have a designated member of the executive team speak to the print or TV media. This person will have the training, experience, and savvy to say the right things, at the right times. News gatherers, on the other hand, won’t always seek out your Director of Corporate Communications (or similarly-titled representative). If they want the juicy details, any gossip, or the “inside story,” they might go to any executive or manager they can find, or worse, to an employee, who gives an opinion as if it was a fact.

In a perfect world, the security professional would also be part of the discussion and review of any press release, placed article, or editorial coming from the organization that has any security-related content. “Facts and figures” statements tossed out like: “Our security system is so sophisticated it only takes one guard per eight-hour shift to operate it,” or “Our jewelry store revenues have never been higher” might be great PR, but they can turn your business into a new target, by people or groups who never considered it as one before.

If you’re tasked with speaking to a media member about any aspect of your business operations or performance, choose your words carefully. Use the technique every politician is trained in from birth: bridging. Bridging simply requires you to “bridge over” to the question you want to answer versus the question you’re asked.

This approach works best when you’re asked the question you don’t really want to answer, i.e. Reporter: “Isn’t it true that your firm’s movement to stricter access control has created a `prison camp environment’ for your employees and customers?” Security Professional: “As you know, our approach has always been to put the safety and security needs of our people and our customers first. As such, we believe in creating the best working environment possible…”

Get the idea? You don’t answer a direct, confrontive question with a direct, assertive answer on point. You vary the response to make sure you cover your points, not theirs.
When in doubt, choose to be bland, especially with any information that hints of having a financial, proprietary, or trade-secret connection. “We’ve got a good handle on our inventory” sounds so much better than, “We’ve got a ton of expensive stuff laying around our warehouse.”

The old adage all publicity is good publicity has its exceptions. Better for people to read about your firm and have to make assumptions about your security, than to know too much detail.