The business reality we live in requires organizations and companies to continuously deal with the threat of commercial secrets or other sensitive information being leaked to unauthorized parties. The "enemy" could be a competing company, investigation offices, a disgruntled employee, and more. To ensure basic handling of the threat of information leakage or its access by unauthorized individuals, it is important to adhere to several fundamental rules:

Proper screening of job candidates 

When posting a job advertisement, it is recommended not to mention the company's name or include its logo in order to avoid creating an opportunity for competing companies to implant a mole within the organization. During the job interview, it is important to review the candidate’s previous employment, including employment periods in chronological order, and inquire about the reason for the termination of their previous employment. It is also essential to consider the candidate’s family members and their places of employment to ensure there are no conflicts of interest (such as working for competing companies, etc.). It is crucial that every job candidate be interviewed by a representative from the security department. Additionally, for positions requiring a high level of trust and personal integrity, such as roles involving financial matters, goods, production processes, and access to sensitive information, it is recommended to conduct a pre-employment polygraph examination.

Guest and visitor management 

A structured procedure must be established in which every guest/visitor is registered and allowed entry to the company’s offices or premises only after confirmation with the person who invited them or the person they are visiting, ensuring they are authorized to enter the business premises. A proper registration system for guests and visitors should be established, with a visitor badge provided and identification left at the entrance. It is essential to ensure that guests and visitors are escorted and monitored throughout their stay within the organization or company, and not allowed to roam unsupervised or access areas they are not authorized to enter. Sensitive areas must be secured, preferably isolated with a door and access control system.

Shredding of paper waste 

Trash bins serve as an accessible source of business information for any information broker, competitor, or private investigator, and any beginner investigator knows how to approach and rummage through them. The handling of paper waste within the organization should be examined, and a procedure for shredding all paper waste should be established. This can be done through local shredding within offices or departments using shredders, or by contracting an external company to perform the paper shredding.

There are different levels of engagement in this matter, and of course, the costs vary accordingly. In some places, it is decided to settle for the collection of paper bags for shredding — the bags are collected by a shredder company's vehicle and shredded at their site. In other locations, the preferred and more expensive solution — which is recommended for better security — involves shredding using a mobile shredder vehicle, which arrives by prior arrangement and performs the shredding at the client's site under the supervision of a representative from the security department.

Supervision of cleaning staff 

Just as every job candidate is required to undergo an interview with a representative from the security department, it is equally important that cleaning staff undergo similar interviews. It is recommended to ensure the formation of a permanent team approved by a representative from the security department and not to allow the placement of a replacement or new employee who has not undergone a security interview. For cleaning staff, it is also advisable to consider conducting periodic polygraph tests to minimize the possibility of information or documents being removed from the organization. When it comes to sensitive offices such as management, marketing, or finance, it is recommended to have contractor work performed while employees are in the rooms and not during non-working hours.

Information Security Procedures 

It is recommended to establish procedures and guidelines for information/computer security. This includes the development of policies regarding social media networks and access to them from company computers, the development of policies regarding access to the internet and personal email accounts from the organization’s computers, disabling USB ports and prohibiting the connection of portable devices to company computers, ensuring the existence of personal user passwords and their periodic changes — and of course, prohibiting the writing of passwords on sticky notes attached to the computer screen. Employee training should include prohibiting the opening of emails from unknown sources, prohibiting the sending of chain letters/requests for medical help or donations, and training employees on the prohibition of installing personal software on the organization’s computers.

Handling of employees finishing their roles

A disgruntled employee or a manager leaving to work for a competing company can cause significant damage to the organization. This issue must be addressed, and a formal exit interview should be conducted during which the employee is reminded of their confidentiality obligations to the organization and the non-disclosure agreement they have signed. Simultaneously, access to sensitive or critical organizational information should be restricted from the moment it is known that the employee is about to leave their position. This includes revoking access to data repositories, restricting physical access to classified areas, and removing access rights in the entry control systems. Additionally, the employee’s ability to connect from their company computer to the internet and private email accounts (even if they had such access previously) should be restricted, and if applicable, remote access to the company’s computer/server should be disabled. Upon their departure, it must be ensured that all company property in the employee’s possession is returned, including keys, ID cards, laptops, smartphones, portable devices, etc.