Printer Friendly

Security sticks at 3M.


3M EARNED ABOUT $12 billion last year from making products that stick - Post-it brand notes, Scotch brand Magic tape, and a host of other adhesive and coated products. Its success is due to its adherence to a policy that encourages a free flow of ideas among its employees - from its scientists to its marketing personnel.

How can company personnel share proprietary information so freely without jeopardizing it as well? Easy. 3M's corporate security services department is the glue that keeps the need-to-know info inside corporate boundaries. This information includes customer lists, research and development information, marketing plans, product standards, financial data, and other sensitive materials.

Steve Howell, manager of corporate security services for 3M, explains that the key to a successful security program in this Fortune 100 corporation, which is headquartered in St. Paul, MN, is "buy-in." This is the process in which employees are included in and encouraged to contribute to the company's security objectives: protecting corporate assets, both tangible and intangible.

"You've got to get buy-in," explains Howell. "And in order to get buy-in, you have to be accessible. Our security staff does this by integrating into the company as any other staff organization, another resource employees can consult. We consider the employees of 3M as our clients; we're here to serve them."

Providing a consultative resource is just one part of a three-part service the security department offers 3M employees. As consultants, security personnel provide timely answers to security issues facing the corporation and ensure those answers are consistent throughout its operating facilities, which span 52 nations.

Prevention and investigation play the two other key roles in 3M's security services program. As with any company, 3M would rather prevent a problem from occurring in the first place than react to it later. The investigative arm is ready and waiting in case an incident arises that circumvents established defenses.

These three actions look impressive on paper as policy. But can they protect corporate information without stifling the flow of ideas - innovative and creative ideas that are the foundation of the corporation's success? At 3M the answer is a definitive yes. Here the flow of ideas is constant because the security department has established a program in which its clients - the more than 87,500 employees of 3M worldwide - handle corporate information safely each day.

Information security is a combination of five elements at 3M: personal awareness, information management, document controls, computer controls, and physical security. All five elements play a crucial role in keeping information inside the corporation yet accessible to those who need it. They assist 3M employees in developing good, consistent practices that reduce the risk of information loss.

Personal awareness. Making employees aware that they are dealing with sensitive information is one of the most challenging objectives of any corporation, let alone a transnational corporation like 3M. Just ask Larry Pavlicek, one of 3M's 10 security specialists.

Pavlicek and the other specialists have several ways of getting the word out worldwide. Using briefings, brochures, and video presentations, they direct the information security program at the divisional and staff group level, with each having a designated coordinator to oversee implementation. The specialists conduct field reviews at the various facilities in their region to check on employee adherence to the guidelines.

To address particular problems, the security services department launched a quarterly newsletter, the Information Protection Bulletin, in 1988. "We wanted to reinforce the message to the troups," explains Pavlicek. "War stories are the most effective way to sell security. Statistics just don't cut it. You can give statistics till you're blue in the face. They won't convince anyone."

The newsletter provides vital information in a clear, concise, and compact one-page format, short enough for employees to scan even if they're in a crunch. The information is geared to 3Mers at all levels of the organization.

Each issue contains how-to's on handling sensitive documents and maintaining computer and communications security, among others. Several issues have provided much-needed advice on handling the burgeoning problem of securely transmitting proprietary information over fax machines and cellular telephones. This is information that employees on the front lines need to know to meet corporate security objectives.

For example, avoiding possible fax espionage was the focus of a recent bulletin. It indicated that the most probable form of fax information loss concerns misdirected messages or access to messages left on machines. The bulletin recommended that 3Mers call their party ahead to make sure the appropriate person is available to retrieve the message, verify the number used, and use care when dialing to prevent misdirection.

Cellular phone security was addressed in yet another bulletin. It noted that such a phrase is actually a contradiction since cellular phone transmissions are broadcast over the same band used by CB, shortwave, police, fire, and other radios. Thus, maintaining security is virtually impossible. The bulletin advised readers to avoid discussing anything on such devices that they would not want overheard.

In 1988, the bulletin addressed the problem of numerous pretext phone calls the company was then receiving. These callers posed as purchasing directors, attorneys, government officials, and potential business partners to find out about 3M's research and development and new products and marketing strategies.

The security department checked on the numbers and discovered that the names used were ficticious and the organizations nonexistent. To prevent 3Mers from innocently supplying information to these individuals, the bulletin published characteristics that would tip off employees that they were receiving a bogus phone inquiry. These included callers who

* were reluctant to identify themselves or their companies.

* hesitated to provide their address or phone number,

* were vague or spoke in generalities and waited for the other party to fill in the blanks,

* appeared to be ignorant of the subject they wanted information on, and

* were unable to give a plausible reason for wanting the information.

Who would have thought Norman Rockwell would be part of 3M's security program? Well, he is - indirectly. 3M has been given permission to use some of Rockwell's well-known paintings as security awareness posters to help instill in employees the idea that safeguarding corporate information is a priority.

For example, picture the famous painting of a little boy in his pajamas. With a look of astonishment on his face, he stands before his parents' opened dresser drawer with a Santa Claus suit half pulled out. Beneath the picture, a caption reads, "Once a secret is out, it can't be recaptured."

Or how about another famous Rockwell painting, this one of a little boy perched at his older sister's dressing table while he reads her diary. Beneath this picture is the observation, "What isn't handled securely becomes fair game."

Another Rockwell painting conveys 3M's caution about discussing corporate information in public places. Picture the famous soda fountain scene with the fountain jerk and his girl staring adoringly into each other's eyes over the counter as her friends watch from the side. The caption reads, "If you `talk shop' after hours, be sure that others aren't in on the conversation."

These awareness materials have proven extremely effective in facilities in the United States and the United Kingdom, whose cultures are similar. But in the Far East and even some Western European countries, making employees more aware of the importance of maintaining information security is proving to be more of a challenge because of the differences in culture and language as well as business philosophy.

"The Japanese, for example," notes Pavlicek, "don't necessarily consider information as property. And in France, there is no specific word for `restricted' or `security'. The closest French word we can come to is their word for `safe'." In 3M facilities in these countries, Rockwell posters garner little recognition or success in teaching the importance of safeguarding proprietary information.

Pavlicek is meeting this challenge head on by trying to develop buy-in among employees at foreign facilities: "We are working on their self-interest. We are trying to demonstrate 3M is their corporation. If it does well, they do well."

In Western Europe alone 3M has more than 21,000 employees, 19 companies, 19 primary laboratories, and 23 manufacturing locations. European factories produce approximately 80 percent of the products 3M sells in Europe. 3M also has companies in 13 countries in the Asia Pacific area. 3M has a lot riding on proprietary information. No wonder different mindsets, cultural quirks, and forms of communication are important concerns of 3M today.

Effective communication, Pavlicek believes, is the greatest challenge transnational corporations will face in the future, especially with the advent of an economically unified European Community in 1992. "We have to really assess what methods we have to work with," Pavlicek notes.

Information management. To handle sensitive information sensibly, employees must know what is sensitive and what is not. Deciding these issues is up to management. The duty of the security department is to provide management with criteria on which to make an assessment of what is sensitive. For example, does the information affect business results? Will the information give away 3M's competitive edge? Is the information embarrassing to the company?

3M is clear on its policy concerning what is and is not sensitive information. According to the Information Protection Bulletin, information can flow freely within the company whenever there is a legitimate business need to know it. To disclose information outside the company, the employee must have the approval of the appropriate manager of proprietor responsible for the information. In short, information can be disclosed only to those with an obligation to protect it.

Once management has assessed what information is considered sensitive, the security department goes to work briefing employees on ways to handle this information safely, whether it's issuing password controls or cautioning employees to take care not to talk shop in public places.

Document control. "If it's sensitive, label it. If it's labeled, don't copy it. And dispose of it when you're done." So says Pavlicek concerning document controls.

Again, what information is to be labeled is a management decision. And management does not expect labeling to be the end-all of information protection. Labeling promotes security by informing and instructing the information's handlers. Thus, by labeling a document, the Information Protection Bulletin explains, 3M is showing its intent to protect it and prove the company's management considers the information privileged or a trade secret.

Document security is also enforced in 3M's reproduction services departments. Individuals submitting work to be copied have to conform to procedures and guidelines to ensure document sensitivity is not compromised in the course of action.

Labeling instructs individuals how to handle enclosed materials, whether the materials are, for example, for limited dissemination, secure storage, or disposal. Secure waste disposal is a big issue for a corporation as large as 3M. 3M's main objective is to render restricted documents unreadable or unusable after they have served their purpose in the organization. To do this, 3M instructs its facilities to recycle, incinerate, or shred materials after they have been placed in secure waste containers.

No one method is best for all situations, so the security department wants managers to understand the pros and cons of each before contracting with a disposal firm. To help them choose the best method, the department furnishes a detailed brief on secure waste disposal.

For example, while recycling waste produces income from the recycled paper, it also requires increased handling time. The recycling company must separate film, metal, and other foreign matter from the paper waste - a factor that increases the materials' vulnerability to exposure to unauthorized eyes.

Incineration is another cost-effective method for disposing waste, but sensitive documents, again, may have to sit for days before they are destroyed. Shredding is another popular method of waste disposal, but the security department cautions managers to take note of shredders' limited capacity.

Computer controls. 3M's headquarters site sprawls over more than 400 acres on the outskirts of St. Paul. That site is the company's campus for research and development for an array of coated products, including abrasives, imaging systems, and photographic products. As research and development is a significant part of 3M's business, its employees interact to a great extent with academics to be in the forefront of new product development.

Being tied in with college and university computer systems, as the world has seen, can be dangerous - and 3M is not immune to this danger. "We've been hit with viruses, too," admits Pavlicek. "It has cost us time and money, but it hasn't knocked us off our feet. It usually occurs with a diskette that has an academic origin."

3M has procedures for cutting off a virus or a hacker from accessing its data bases. The corporation keeps varying levels of physical security controls on all its buildings, depending on the environment. For example, areas housing the research and development of new products are under stricter employee access than others.

On an individual employee level, 3M monitors employee accounts, enforces password controls, has software and hardware locks, ensures keys are securely stored, and sets procedures to download data onto floppies to keep information from residing on hard disks, where someone might be able to access it.

The Information Protection Bulletin frequently cautions employees about connecting to electronic bulletin boards and downloading software onto corporate systems. It also provides readers with symptoms to watch out for to prevent a computer virus from infecting the entire system.

To drive home how crucial it is to follow company policy in computer security procedures, the data storage products division of 3M released a video last year illustrating the importance of backing up data on PCs and distributed computing systems. In the video several companies were asked to estimate how much time and money it would cost them to reconstruct 20 megabytes of certain kinds of information. The estimates varied, ranging from 19 days and $17,000 for sales and marketing companies to 42 days and $98,000 for engineering and research and development companies.

Physical security. "There's no magic to physical security," explains Pavlicek. "The emphasis has to be placed on how physical security contributes to information security, and that means controlling random access to the company's facilities."

The key, according to Pavlicek, is to use standard security controls to limit unauthorized access. These controls, among others, include the guard force, card access, and CCTV. They may also simply involve enforcing standard security's procedures such as locking up desks and PCs, logging in and escorting visitors, or controlling the use of photography.

These controls are used individually or in conjunction with others, depending on the criticality of a facility. For example, some remote facilities may be totally automated as far as physical security controls are concerned. In other sites, as in some facilities where administrative duties are carried out, a guard force contingent and card access may be used. "The intensity of the physical security controls is a product of how critical a facility is and how likely an incident is to occur there," Pavlicek continues.

Physical security, again, is just one element in 3M's plan to protect its proprietary information. Pavlicek speculates that the future will see increased security on individuals accessing data in the corporation. In the meantime, Howell, Pavlicek, and the rest of the corporate security staff are keeping their eyes and ears open to 3Mers around the world as the department constantly reevaluates its programs to meet corporate needs. About the Author ... Joan H. Murphy is associate editor of Security Management.
COPYRIGHT 1990 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1990 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Murphy, Joan H.
Publication:Security Management
Date:Oct 1, 1990
Previous Article:Fighting fire on the home front.
Next Article:Who's listening in?

Related Articles
Kuraray, 3M debut new filter.
Going one-to-one. (On Marketing).
Half-marathon training made easier.
Wood repair.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters