The Future of Work: Protecting Trade Secrets
Written by: Dell Spry
Many businesses, both large and small, are desperately seeking ways to keep their companies operational with all of the closures and uncertainties associated with the COVID-19 virus crashing in on them. Hopefully, most have an established continuity of business plan to guide them through this difficult time. To limit employee exposure to the virus, some companies, along with the government, have implemented staggered shifts for those who are deemed “essential work,” employees. Many companies, and the government, are allowing employees to work from home. However, this is exposed many companies to trade secret theft both due to hacking and insider theft.
The good news is, studies show employees who work remotely from home are, in the short term, more effective, more efficient, and more productive. Please note, however, that an employer still has legal obligations and responsibilities owed to employees who are working remotely.
Working remotely can definitely be a win-win. The employee can save on gas or commuting expenses while having the flexibility to work from home while the employer saves money on supplies, office space, electricity, etc. However, the business continuity or work from home plan does not come without its own concerns ranging from overtime regulations to safe working environments.
Jonathan Segal is a partner in the Employment Group of Duane Morris LLP, who has worked on crisis management and public health crises for over 20 years. In the second of a series of articles titled On the Impacts of the coronavirus on Employment and the Workplace, Segal identified five areas of best practices and employment law compliance:
Best Practice #1: Payment of employees who work remotely
In employment law, a main distinction is made in payment obligations between exempt and nonexempt workers (excluding workers covered by a labor contract or employment agreement). The same distinction applies to remote workers. Exempt employees must be paid in full for any week in which they perform any work remotely. Nonexempt employees are entitled to pay only for time worked remotely, whether a full or a partial day. Segal notes that there are exceptions (some nonexempt foreign nationals, nonexempt workers working under a fluctuating work week plan), but in the main, the payment rule applies.
Segal advises that employers in establishing a remote work plan set out guidance to nonexempt workers in setting a schedule and tracking hours. On the one side, setting a schedule helps employers to avoid overtime claims that might arise from unstructured remote work. On the other side, it assures nonexempt workers are not expected to be on call at all times.
Tracking hours can be done through several means, including log-in and log-out processes. Can someone log in and then go to the park for 4 hours? Yes, Segal notes. But tracking of hours, like so much of the employment relation, rests on trust. “I’ve had employers who try to avoid misuse of remote time by suggesting that they are suspicious of employees working remotely.” Segal explains, “That’s exactly the wrong way to set up a remote work plan.” The better option, according to Segal, is for the employer to communicate the importance of tracking time, and to reaffirm their trust in the employee.
Best Practice #2: A safe and secure work environment
Employers have obligations under federal and state safety laws to provide a safe and secure work environment for employees. This extends to remote work. The remote workspace is treated as an extension to the regular workspace for safety requirements.
Segal notes that it is neither workable nor desirable for employers to go to the homes of their employees and inspect them. Instead, include a work from home policy in your crisis management plan. This will keep employees aware of any safety requirements, what they should do to address any safety concerns, and define the process for filing a claim should any injuries occur during work hours.
Best Practice #3: Control for costs
Employers also will want to avoid unexpected claims down the line from workers at home who purchase additional equipment (higher-grade printers, additional desk) to work at home at the employer’s direction. Segal advises that employers should clarify at the start that any additional equipment or service charges (or any above a certain price) requires supervisor approval.
Best Practice #4: A “reasonable accommodation” policy
Like other employment laws, the employment provisions of the Americans with Disabilities Act (ADA), while bringing benefits to employers and employees, have been subject to misuse. Segal suggests something as simple as “during this pandemic, we will allow employees to work from home even where this would not be permitted in the ordinary course.” Segal refers to this as a “simple placeholder” in case of a future claim.
Best Practice #5: Maintain information security
Segal notes that remote work can give rise to information security breaches. He recommends several actions, the main one being “require that employees log in and out when they are not using their computer. If an employee leaves the computer on, a family member with no bad intent may see what they should not or they might send a message that causes a data breach with the consequent notification requirements.”
Underlying these guidelines are Segal’s ideas, developed over the past 20 years, on the central role of employer-employee trust. There are no fail-proof measures in the regular workplace to prevent misuse of time, and this is even more so with remote work. An employer needs to set structures addressing the issues above, but not in a tone or suspicion or anger. Segal emphasizes, “In a time of crisis, we need to focus on the vast majority of employees who do the right thing, and give ourselves the time and perspective to focus on big-picture business continuity planning.”
I assume most businesses want to trust all their employees. Unfortunately, as reality sometimes reminds us, not all employees are trustworthy under the best of circumstances. With the unemployment rate skyrocketing and jobs being uncertain, now is not the best of circumstances. The risk of compromised data could increase when an individual works from home. Remote workers will access proprietary information, confidential data, and perhaps trade secrets from their couch or kitchen table. It is imperative a company mitigate risk of a compromise of the material that is the backbone of the company.
Most, if not all, companies will have signed non-disclosure agreements in place and non-compete clauses. Remote workers should only work using a company issued computer that has been certified as being up to date with security features, including software that notifies the employer if confidential information is accessed or copied without authorization.
Insider threats/thefts often originate from a lack of awareness. Do you have a detailed database outlining which employees have access to which systems? Do you have a map of all restricted access programs? How is this information stored? Managing insider threat risks should be part of any holistic security plan, including IT security and physical security.
Although many people associate insider attacks with malicious users, cyber security experts believe accidental exposure is the biggest vulnerability. This is because hackers often infiltrate a system through a phishing attack. These attacks trick employees into sharing sensitive business information through emails that often include malware attachments or links to compromised websites. Using red-team exercises, or penetration testing can be an effective way to measure and mitigate the efficacy of these attacks.
Other causes for cyber security and data risks include:
- Unrestricted password sharing practices
- Unlocked devices
- Unsecure Wi-Fi networks
- Weak passwords
The longer a threat goes undetected, the more it costs to resolve the damage. Employees are usually unaware when they’ve opened a malicious email or visit a compromised website.
Although insider attacks may seem difficult to prevent, there are strategies your business can implement for added levels of protection.
5 Tips for Preventing Insider Threats
Tip 1: Educate employees
Provide employees with training and resources that overview the importance of cyber security and best practices. Establish a digital security policy early, and equip team leaders with the tools to ensure that policy is being followed.
Tip 2: Encrypt Data
At the beginning of the encryption process, the sender will determine what type of cipher will work best for the message and what variables to apply as a key to make the encoded message unique. The two most common types of cipher fall into two categories: symmetric and asymmetric.Symmetric ciphers, also called secret key encryption, use a single key or code. The key is sometimes called a shared secret because the sender or computing system doing the encryption must share the secret key with all entities authorized to see the message. Symmetric key encryption is generally much faster than asymmetric encryption. The most widely used symmetric key cipher is the Advanced Encryption Standard (AES), which was designed to guard government-categorized information. Asymmetric ciphers, also referred to as public key encryption, use different, but logically linked, keys. This kind of cryptography often uses many digits to create keys since it’s computationally hard to reverse-engineer the encryption. The Rivest-Shamir-Adleman (RSA) encryption set of rules is the most broadly used public key algorithm. With RSA, a public or the non-public key may encrypt a message; whichever key isn’t used for encryption becomes the decryption key. Today, many cryptographic tactics use a symmetric set of rules to encrypt records and an asymmetric algorithm to exchange the secret key.
The number one objective of encryption is protecting trade secrets of digital information saved on computer systems or transmitted via the internet or network. This video from Khan Academy explains how 256-bit encryption works in more detail:
Subscribe to our YouTube Channel
Besides security, the adoption of encryption is frequently driven by the need to satisfy compliance regulations. A large number of organizations and standards bodies suggest or require sensitive information to be encrypted to prevent unauthorized access or bad actors from gaining access to the system. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires merchants to encrypt customers’ charge card data when stored or transmitted across public networks.
Tip 3: Implement proper password management practices
Enable two-factor-authentication and use complex passwords to add a second layer of security and reconfirm a user’s identity every time they log in. Change passwords every six months and make sure they contain upper and lower case letters, numbers and symbols. Even better, require the use of a password management system like LastPass, DashLane or Google Password Manager. This should be standard practice at this point, but many companies fail to follow through with implementing these types of policies, potentially exposing proprietary information and trade secrets to theft or compromise.
Tip 4: Install and maintain antivirus software
This is probably the simplest way to protect your business and trade secrets from an attack. Antivirus software can protect your system and continuously scan for viruses or malicious files. We strongly suggest using both front end protection and server-side protection.
Partner with a security vendor that offers managed network services. This service helps you control the performance and security of your business networks with 24/7 management, change control, monitoring and network operations support.
Tip 5: Keep all software and devices Updated
With outdated software, hackers can identify vulnerabilities and gain access to your system. Currently the media is full of the COVID-19 pandemic and how it will affect all of us. Aside from the medical aspect, we are facing the economic consequences which is, perhaps, even more unsettling. Now is the time for your company to remember they are, above all, a team; a team that has trained together, worked together, and sometimes played together.
Keep in mind
Now is the time to remember you are the team leader. Hold your company together, and protect them at all costs. Despite the hardships, every crisis is an opportunity for reinvention and improvement. Many business owners struggle to fully grasp the myriad risks they face. That’s why we’ve built a framework that teaches businesses how to anticipate and navigate risk before it becomes a crisis. Be sure to read Chesley Brown’s “The Business Continuity and Crisis Management Handbook” for our complete list of tips and strategies for preparing for and navigating a crisis effectively. And as always, if you have questions, our experts are here to help you.
For industry-leading guides and analysis sign up for our blog below.
Fighting Terrorism with Strong Private Sector Relationships From Chesley Brown International Risk Management “Threat mitigation is a team effort; it’s this relationship and collaboration which is critical to the counterterrorism fight.” We face the same…Read More
Are Your Employees an Unintentional Security Risk for Cyber Attacks? In these times when malware is prevalent and easily disguised as email attachments or seemingly innocent software updates, one of the questions that arises is:…Read More
Supreme Court Decision Personal Rights and the Expectation of Privacy in the Digital Age From Chesley Brown International Risk Management In Major Privacy Case, Court Rules Law Enforcement Must Obtain Warrant To Track Cellphone Data.…Read More