Given that knowledge is the lifeblood of most modern businesses, most of us have a rather lackadaisical attitude towards it. Few would disagree that successful organisations are generally so because of the knowledge they have. Knowledge is, after all, for many businesses - accountancy firms prominent among them - the only thing they have to sell. But when it comes to suggesting ways of nurturing and protecting this knowledge - which exists mostly in the minds of an organisation's staff and on its computer systems - people's eyes glaze over.
Knowledge management, for example, tends to get dismissed as one of those warm but woolly management concepts that grew out of the touchy-feely early 1990s. This despite the indisputable business logic that the most successful businesses will be those where staff effectively share their knowledge and experiences, rather than keep it all to themselves.
Many people are just as complacent about protecting their employer's knowledge as they are about sharing their own with colleagues. In a recent survey carried out by organisers of the Infosecurity Europe 2002 show at London's Victoria Station, a staggering two out of three people told the interviewers, complete strangers, what their computer password was. Further evidence of people's lack of security consciousness - not to mention imagination - is that the most common password among the 150 office workers interviewed was 'password'.
Yet recent statistics from the Department of Trade and Industry indicate that 44% of UK businesses suffered some sort of malicious information security breach last year - and that the average cost of each serious incident was £30,000. Although it won't commit itself to a figure, the DTI says that it is reasonable to project that security incidents cost UK business several billion pounds during 2001.
One area that some businesses, particularly in sectors such as the pharmaceutical industry, do take more seriously, is intellectual property. Using patents, trademarks, copyright and other legal mechanisms, companies can protect their research, inventions, trademarks, brands, designs and breakthroughs. But experts in the field say that many businesses lack awareness of this area, and therefore run a double risk.
On one hand they risk a competitor stealing their ideas or designs, and on the other they risk accidentally infringing someone else's intellectual property. The latter could result in a court ordering them to cease production of a particular item, which if it forms a significant part of a company's output, could put it out of business.
Specialists in all these areas highlight the fact that much of their advice comes down to common sense and taking time out to think an organisation's priorities through. Expertise and technology-solutions can help matters. Legal advice, for example, should be sought when dealing with patents, trademarks and so on, and IT solutions can help facilitate the flow of knowledge round a large organisation. But the most important factor is awareness. An expensive IT solution, for example, will not improve knowledge flows around an international company if staff do not get a grip on why the system is there, what it intends to achieve and how they can benefit from it. Behaviour and awareness, not technology, are key.Behaviour and awareness
Nigel Oxbrow is an expert in knowledge management - the first of the areas outlined above - although it is a term he prefers to avoid. The chief executive of knowledge and information management specialist TFPL Associates, he says: 'Knowledge management is a bit of an unhelpful term. Knowledge is in people's heads, and you cannot manage what is in people's heads. It's more about managing an environment in which knowledge can be easily created, shared, organised and utilised for the benefit of clients. It involves the way people work, behaviours, access to information and the way people collaborate with each other.'
Despite his doubts over the use of terminology in the area, Oxbrow is clear about the dangers of not taking the issue seriously. 'Companies need to be able to compete effectively. Things are moving so much faster than they used to. If you are not sharing knowledge around you cannot respond as quickly as your competitors. You need to be able to sense what is going on in the market. It's about competitive advantage.' Those businesses that don't take it seriously, he warns, will in the end face extinction. Those that are taking their eye off knowledge issues as a reaction to the current downturn, he warns, are making a fatal mistake.
Management consultancies were among the earliest adopters of knowledge management as a conscious and managed process. But, according to Oxbrow, they made a mess of it because they focused on capturing knowledge and putting it on IT systems rather than changing the way people work. He agrees that technology can be an important enabler in providing flows of information, but says that many companies make a mistake by thinking that buying knowledge management software will provide the solution without changing their staff's behaviour.
Many companies, Oxbrow adds, suffer from old-style hierarchical structures where knowledge might flow up and down the organisation, but rarely flows across. He holds up Finnish mobile phone giant Nokia as an example of a good knowledge-focused organisation. 'It has a flat structure. People have knowledge-focused responsibilities and the company reflects a knowledge-focused culture.' Nokia's relative financial health compared with many of its rivals in the beleaguered telecoms sector could be a reflection of this.
The Inland Revenue, he adds, is another good example of an organisation that is tackling the issue. One of the key challenges it faces is giving consistent tax advice from its numerous different offices. Now it has started getting experts in particular areas to work more closely together, and is improving its databases.Recipe for success
There is no one right answer to how an organisation should tackle knowledge management issues. However, according to most specialists, there are certain basic ingredients. One is to get an organisation's leaders committed to the idea and the concept - no knowledge management initiative is going to get anywhere if it is not supported and understood by the boardroom. Thought has to be given to what needs to happen. Do people need to be encouraged to talk to each other more, or should more emphasis be put on developing some sort of searchable database system as a way of facilitating sharing?
Staff also need to be encouraged to share their knowledge and expertise, which means there has to be some sort of reward or recognition for it. If this doesn't happen, people will simply say that they don't have time and continue to hoard what they know rather than sharing the benefits. An expensive company intranet, for example, will be an expensive waste of time if people are not given an incentive to use it. Businesses that fail to encourage people to share their knowledge can face major problems when key personnel, holders of all the important expertise, knowhow and experience, hand in their notice.
As with most projects, it is important to give someone the responsibility for managing it and driving it forward - larger organisations sometimes employ staff dedicated to the area, known, for example, as chief knowledge officers. IT solutions can help, but there are many less expensive ways of improving knowledge flows in an organisation. Where people sit in relation to each other, for example, can have a big impact on what expertise and experience gets shared around. And an informal meeting where someone talks their colleagues through a particular deal or business episode, warts and all, will allow staff to learn the lessons of experience much more effectively than a memo sent round by email, which will probably be ignored or at best skim-read and quickly forgotten. The proponents of this particular practice have given it the name 'story-telling'.
All knowledge management experts agree that in strict financial terms it is hard to quantify the return on the financial investment in knowledge management. The measurement of intellectual capital - in all its forms - is something that exercised the mind of the accountancy profession for years, and as the 'knowledge economy' has grown, interest in the issue has spread to government and investors. The European Commission, for example, has recently funded a major research project that brings together European business schools to examine measurement practices in the intangible economy.Security breach
There are no easy answers on the measurement issue, but the value of knowledge and information is highlighted by the consequences of it being lost, damaged or stolen. Hackers and computer viruses present an increasing danger to an economy that is becoming ever more dependent on technology. The DTI's Information Security Breaches Survey 2002 found that 76% of UK businesses believe they have sensitive or critical information on their IT systems.
Hackers can cause problems. Last year, for example, hackers obtained data such as mobile phone numbers and credit card details for people such as Microsoft guru Bill Gates and Palestinian leader Yasser Arafat, from organisers of the World Economic Forum in Davos, Switzerland. But computer viruses are a more common problem, accounting for one third of the most serious breaches in the survey. Four out of 10 UK businesses suffered from virus infections at some time in 2001.
Chris Potter, a partner at Pricewaterhouse-Coopers, which helped manage the survey, says: 'Businesses continue to assume it will never happen to them. However, with the rise in viruses it is now a question of when, not if, they will affect you. Although the use of anti-virus software has increased, one in six businesses still has nothing in place. This is particularly concerning when one thinks back to the crippling impact that Code Red and Nimda had on businesses in recent months, forcing the shutdown of external connections to the internet and costing millions of pounds of downtime.' Potter says that anti-virus software is not enough. Businesses need to keep their firewalls and intrusion detection systems up to date as well.
Another big danger for businesses, however, lurks in every corner of every floor of their buildings - their staff. The DTI's 2002 survey shows that 48% of large companies blame their worst security incident in 2001 on employees, whereas the previous year 75% of them named hackers and criminals as the biggest threat to their security. David Blackman, marketing director for Europe of information security specialist PentaSafe, agrees that staff are the most potentially damaging threat to a business. 'Internal threats are more costly because disgruntled employees have access to a company's biggest assets - its databases, personnel details, patents and so on,' he says.
He also points out that staff cause damage accidentally - either when working in a company'ssystems or through a lax attitude to security. He tells a story of an unnamed US finance director who left his briefcase in his car. It contained his laptop on which was stored the polished company results presentation he was about to give Wall Street. It also contained some rather less polished details about the company. The information was leaked to the press, the FD had to give his results presentation without the aid of his preparation, and the company's share price took a dive.
Blackman took part in the survey at Victoria Station where two in three office workers readily handed over their work password. He says that this illustrates how easy it is to 'socially engineer' yourself into a company. 'I could have got a security card, walked in and set myself up on the company's computer systems,' he says. 'You don't have to be a hacker.' He argues that in many larger workplaces, a stranger sitting at a computer terminal would be unlikely to be challenged. People would just assume he or she was from the IT department and was making some alterations to the computer. Indeed, if asked, many would volunteer their password and allow the intruder to sit at their screen for a few minutes.
The key to avoiding this sort of danger is a strong security policy where the most important assets of a business are identified and protected. Blackman emphasises that doing this once is not enough. 'Security is a journey not a destination. It needs to be continually looked at and revised.'Protect yourself
The area of information management that many businesses take more seriously is the protection of their intellectual property. They need to protect both their products and their brands from rivals. This is done through rights such as trademarks, patents, registered designs and copyrights. For a product such as, for example, the Dyson vacuum cleaner, all four rights are used. The name is a registered trademark, the bagless design is patented, the design of the vacuum cleaner's appearance is registered and the instruction manual is copyrighted.
Organisations also go to great lengths to protect their brand names. Arsenal Football Club, for example, has taken a trader of unauthorised Arsenal merchandise to court claiming trademark infringement - the case is now before the European Court of Justice. Asked what advice he would give a business that has not thought about its intellectual property rights, Max Cole, an intellectual property specialist at law firm Freshfields Bruckhaus Deringer, says: 'I would get them to think about what their product is, and what about their product and business might be protectable.'
He also warns that businesses should be wary of infringing the intellectual property of others - which could land you in court where you could be told to cease production. As with knowledge management and information security, the moral of the story is that the pursuit of knowledge is all very well, but it's not enough. The successful business needs to know how to nurture and protect it.
The DTI says that 44% of UK businesses suffered at least one malicious information security breach in 2001, nearly twice as many as in 2000. It says the most important advice is not to wait for a serious incident to occur before you take action to protect your business. It also provides 10 top action points for organisations:
1. Educate staff about security risks and their responsibilities.
2. Have a clear, up-to-date security policy.
3. Have someone knowledgeable in charge of security.
4. Evaluate return on investment on IT security expenditure.
5. Build security requirements into new systems.
6. Keep anti-virus software up-to-date.
7. Ensure compliance with data protection rules.
8. Have contingency plans for dealing with a serious information security breach.
9. Understand your insurance cover.
10. Carry out tests and security audits.
The DTI's survey also highlights regulatory-concerns. According to its figures, only 49% of companies have documented procedures to ensure they comply with the Data Protection Act, while 24% have procedures to ensure they are addressing their staff's rights under the Human Rights Act.
Source: DTI/PwC Information Security Breaches Survey 2002 (www.security-survey.gov.uk)