This past week an incident occurred at HP that was both embarrassing and very costly. Just prior to announcing its quarterly earnings on May 17, 2011, three memos were leaked from CEO Leo Apotheker that painted a very bleak picture for the company. The memos warned of upcoming cost-cutting measures for the company that pointed to a rough few quarters ahead. Apotheker told executives to “watch every penny and minimize all hiring” and said the firm’s current workforce plans were “unaffordable given the pressures on our business.”
The memos were leaked to news organizations that promptly reported the stories. As a result of the information, HP’s stock price dropped 5%. Given their market cap of around $80 billion, that’s a $4 billion oops. Apotheker told CNBC that he would find out how the memos made their way to the media. “It is very unfortunate that these things happen and we will try to get to the bottom of this,” Apotheker said. “But I have full confidence in the team that I am working with and we’ll continue to execute.”
We hear about confidential information leaking from companies all the time. A lot of the news tends to focus on hackers and cybercriminals who use viruses, malware and social engineering to gain access to valuable information. While no one should diminish this threat, more often the leaks come from inside the company. This could come from someone trying to make a financial gain in the stock market, a disgruntled employee or even worse, it might have been accidental.
So how could HP and others prevent these things from happening in the future? How do you protect the information in your documents? Use a persistent security policy that follows the document. It encrypts the document and you control who can access the information inside it. Most memos inside organizations are not confidential or mission critical. Unfortunately ones from the CEO in a public company that cover cost cutting and the business outlook are extremely confidential. These documents should be protected and their use limited.
In HP’s case, a persistent policy could have been applied to the memos stating that executives and others who needed to know could read them. If anyone else tried to read them, they would look like random characters. If HP wanted to send the information to media outlets or outside parties, they could permit that too. If an insider sent the memo to an unauthorized news organization, the memo would be useless to them. Anyone successfully accessing the document must be given specific rights to it.
Once HP realized the memos were gone, it could have revoked the document’s rights. This would have killed everyone’s access. That may be drastic, but in this case it may have been warranted. As a result of the leaked information, HP has had to back peddle and explain a lot. Stock analysts downgraded the stock, which of course sends further ripples through the market and customers. I’m sure HP was planning to discuss their expectations of a business slowdown in their earnings call, but I can guess they would have preferred to do it on their terms and lead the conversation. Now they have to respond rather than lead.
Whether you are a small company or a Fortune 500 one, protecting your confidential information is critical to maintaining your business. One leaked memo could cost you a lot of money. In the case of HP, a little prevention might have saved them a few billion dollars.
Photo credit breadrecon