5 lessons businesses can learn from WikiLeaks

December 13, 2010

— Jeremy Reis is the founder and president of That Network, an interactive publishing firm. This article originally appeared here. The views expressed are his own. —

WikiLeaks is in the news due to their release of U.S. government files, but for many years the site has been releasing both government and corporate secrets – and with a pending release of files from a large U.S. bank, it provides an opportunity to think about the lessons this teaches business managers.

A business generates a lot of internal documents from the inane emails to complex, secret business processes that provide us a competitive advantage. Learn five lessons every manager should know from the WikiLeaks affair.

1. There are no completely secure systems

Most companies have systems which they consider business sensitive and possibly even secret data. These systems contain financial data, customer information, or documentation about internal business processes. Though you may consider these systems secure, as the top secret government data file leaks have shown, there is no such thing as a truly secure system. You should make an effort to secure your systems and your data, but understand the risks involved with a data breach.

2. Weigh the risks of a data breach

Since there are no truly secure systems, what are the risks if your data is breached? What are the financial penalties that could be levied? What embarrassing information do you have on file? Should you have some electronic communication refresher courses for your employees to re-teach them what is and isn’t appropriate to communicate via email or instant messenger?

There are ways to mitigate the risks of a data breach and you should consider some of them. Insurance companies offer data breach insurance to help pay for business continuity in the case of a data breach. Discuss data security with your Information Technology staff. If you handle sensitive credit card data, make sure your company is PCI (Payment Card Industry) compliant.

3. Segment your data

One recent estimate said the embassy cables released to WikiLeaks was available to 3 million people with security clearances. Millions of files were available to the leaker who simply had to download it onto a CD-R or a USB thumb drive. If you do have a lot of sensitive information, you should create segmented systems and only provide data on a “need to know” basis to your employees. No one employee should have access to everything unless the person needs it to do his job. Segmented systems also reduce your chances of total data loss if one system fails.

We’re not suggesting putting in place a bunch of new and complex IT security rules, but instead just limiting access to individuals who really need access to the data. Do not shut down your business by limiting what your employees can do, just make sure they have access only to the things they really need.

4. Understand the maturity of your staff

The government security files may have been leaked by a young private with more data access than he should have to match his maturity. Where he thought he was idealistically revealing potential crimes, more likely he was just releasing a lot of very embarrassing material. Understand that some of your staff is not mature enough to handle what you’re asking of them and if you have staff who are handling your business finances who don’t know how to handle their own personal finances, you might want to rethink the control and power you give them.

5. There are right ways and wrong ways to handle an embarrassing data breach

Many of our government officials did not handle this data release very well and said some things which just embarrassed them. If you do have a data breach, consider your response before discussing it in public. We recommend bringing in a professional response team who has handled these types of situations. Most managers are not trained in dealing with the media and can quickly find themselves in an awkward position without proper preparation.

The WikiLeaks situation has taught us several lessons and business managers can learn a lot from this situation.


We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/

If you’re going to say something nasty about a third paty to a colleague do it on the phone. Business plans should never be left on the computer after they’re finalized; put them on paper, lock them in the vault, and WIPE the hard drives (don’t just delete the files – the information will still be there, easily reclaimed). I’ve been in the compter industry since the 1960s and I haven’t found a computer yet that can’t be hacked. Above all, don’t put the financial data on a network if at all possible, and for the business’s sake, don’t ever connect it to the internet. If you must transmit such data remotely do it over a secure leased line, encrypted.

Posted by lexus | Report as abusive

Perhaps the single most important lesson for managers is actually this: do the right thing. If you do the right thing consistently, then data and information breaches come with fewer consequences. Sure, there are trade secrets that, if released, can cause serious harm to a business, and managers need to take appropriate steps to keep these secure. The real danger to most businesses, however, isn’t the exposure of trade secrets but the exposure of deliberate malfeasance.

Do the right thing, and that danger disappears altogether. Simple. Not necessarily easy, but amazingly simple and completely effective.

Posted by JackMack | Report as abusive

Speaking of phones, text messaging business information, leaks or even gossip can be a bad thing. Anyone can have phone records seized with a warrant and read anything defamatory that could have been said in text messages. Of course, you could get wiretapped or if you’re really paranoid there’s the issue of hacking a cell phone via bluetooth, but those are probably less of an issue than getting your texts seized or intercepted.

Posted by duodave | Report as abusive

The truth is that no information, no matter what media it is on, is 100% secure. By now, everyone should know that. You can do what you can to make it more secure than it was, but you will never get to 100%.

So be ready when it gets out. That’s all you can really do.

Posted by Outsider | Report as abusive

“What are the financial penalties that could be levied?” Hey you know what, call me an idealist, but how about instead of asking that question DON’T BREAK THE LAW IN THE FIRST PLACE! Then you won’t have to worry about any penalties being levied. Seriously this whole article reads like an enabler telling heroin addicts where to get their fix when it should be telling them to stop doing heroin. I’m with JackMack on this one, I understand that trade secrets are an issue and that intellectual property should be protected for the sake of a business, but a good deal of PR issues would be preemptively mitigated if you’re just honest and have nothing to hide. This article reminds me of the South Park episode where the characters’ families left the Catholic Church in the wake of the priest abuse scandals and so the Vatican had a meeting to discuss not how to put a stop to the abuse, but how to put a stop to the victims coming forward with their stories.

Posted by Marlowe3488 | Report as abusive

[…] 5 lessons businesses can learn from WikiLeaks, via @michelleblanc 1. There are no completely secure systems 2. Weigh the risks of a data breach […]

Posted by Harold Jarche » Different Finds | Report as abusive

[…] http://blogs.reuters.com/small-business/ 2010/12/13/5-lessons-businesses-can-lear n-from-wikileaks/ This entry was posted in 3. M&A Inside Scoop and tagged data-breach, data-breach-risks, data-protection, lessons-from-wikileaks, march-group, small-business, small-business-data-protection, the-march-group, wikileaks. Bookmark the permalink. ← 2011 Expected to be Big Year for M&A […]

Posted by What You Can Learn from the WikiLeaks Leaks | The March Group Blog | Report as abusive

I second the responder who said to just do the right thing. Doing the wrong thing – defined as manipulations that deprive others of their innate power of self-determination – will *inevitably* create resentment and create and empower enemies who will turn the tables by exposing your manipulations.

As a result, I strongly disagree with many of the points in this article. Sure, secure your intellectual property and sensitive personal data both with active and passive measures, as well as insurance. But ultimately, with WikiLeaks, none of THAT was released. Instead it was all about real or perceived malfeasance.

So the article’s advice on actively planning to contain damaging information is inane. Why not simply avoid the behaviors that create it in the first place? It doesn’t take a lot of “maturity” in your staff for them to realize you’re manipulating and resent it. In fact, what we’re seeing with WikiLeaks is a new definition of “maturity” in which manipulations are not acceptable.

Posted by rseer | Report as abusive

[…] Click here to view Mr. Reis’ total article. […]

Posted by Information Security Lessons Can Be Learned from WikiLeaks : Continuity Compliance, Business Continuity, Business Compliance – YOUR Business Continuity Lifeline | Report as abusive

6. All of our governments are a bunch of liars!

Posted by minipaws | Report as abusive