To prevent the further spread of the coronavirus (COVID-19), many companies have sent large parts of their workforce home and drastically changed working practices.
Pressure is now mounting for businesses to improve their employees’ ability to work effectively from home, sometimes by deploying new technologies or changing existing policies, all at short notice.
Remote home working, apart from practical issues, presents significantly increased risks to companies’ trade secrets and confidential information.
To be protected by law, trade secrets must not only be kept secret but also be subject to reasonable steps to keep them secret.
To comply with the latter requirement – and to prove this in court proceedings – would be a challenge for companies under ordinary circumstances but is even more difficult in current times.
Below are some key points for businesses to consider.
Employees working remotely are using their own devices, new conferencing tools and their home wi-fi.
This raises the risk of companies falling victim to a cyber attack.
Cyber criminals see opportunity, while public prosecutors and cyber taskforces have only limited resources and work under constraints.
To mitigate the cyber risk, companies should consider:
- reviewing existing policies and assessing the need for updates – what works at the office may not be suitable in a home-working environment;
- reviewing responsibilities and roles regarding cybersecurity in light of changed working conditions and the potential need for increased resources;
- using industry-standard VPN or similarly secure access solutions where possible;
- prohibiting the use of public, unsecured wi-fi for work purposes;
- reminding employees of the importance of keeping corporate information away from personal devices and systems, except where this is fully compliant with the company’s policies and procedures;
- completely blocking remote access to particularly sensitive information (the 'crown jewels');
- ensuring remote lock-out and wipe capabilities are available to cope with lost company devices;
- monitoring system access to detect irregularities in real time;
- issuing specific guidance for employees on how to detect and react to COVID-19-related phishing and spam emails;
- prohibiting downloads of any unauthorised programmes or applications on company-provided hardware without consulting the IT department;
- issuing guidance on how to communicate with colleagues, customers, etc via secure channels; and
- checking the resilience of systems with penetration tests that take account of the current IT usage.
Bring your own device (BYOD)
Extensive home working is likely to be associated with an increased use of personal devices for work purposes, including information being stored on personal devices and sent to personal email addresses.
The likely lower security levels on personal devices means an increased risk of leakage of confidential information.
To reduce the risk, companies should ensure that employees do not need to use their personal devices for work purposes by providing them with appropriate equipment wherever possible.
If employees using their own devices is unavoidable, the following measures should be implemented:
- set up and enforce BYOD policies and procedures;
- communicate and ensure full compliance with password-protection and encryption policies
- impose an obligation that all necessary and recommended (security) updates are installed;
- prohibit the use of private email accounts for work purposes;
- enforce policies that documents stored on personal devices are deleted immediately after use;
- use software that identifies whether an employee has downloaded or copied confidential information to a personal device; and
- ensure BYOD devices can be blocked and wiped remotely in case they are lost or stolen, or in case of security incidents.
Employees are likely to take home hard-copy information from the workplace.
Having hard copies of information outside the secured corporate environment increases confidentiality-related risks.
These steps are advisable:
- limit hard copies being stored or printed outside the workplace;
- ensure that employees do not remove or print at home confidential information unless specifically authorised, with such authorisations only granted where absolutely necessary and not for particularly sensitive material;
- ensure employees do not dispose of hard-copy information in household waste, but keep it for safe disposal upon return to the workplace;
- ensure that employees immediately report any document losses;
- implement systems to keep track of any confidential information removed from the workplace; and
- implement ‘electronic print’ protections to prevent home printing of confidential information.
Many employees do not live on their own but share accommodation with others.
In most cases this will be family, but shared accommodation with other individuals is also possible.
This brings security risks to hard copies stored in the shared living space.
Employees may also face difficulties in conducting confidential telephone calls and video conferences.
To mitigate the risks resulting from shared home workplaces, companies should instruct their employees to:
- work in a separate, lockable room or, where that's not possible, set up a separate workplace;
- not allow others living with them access to equipment and documentation provided by the company;
- keep conversations and information strictly away from others in the household, even other family members;
- tidy up all documents after the end of the working day (‘clear desk policy’); and
- not work from public places, such as parks, but solely from home.
Employee exits are a significant risk in ordinary circumstances, including the chance that departing employees might take confidential information and documents with them to a future job.
This risk is further increased by the economic challenges resulting from COVID-19 shutdowns and by some companies’ need to dispose of parts of their workforce.
In addition to the safeguards already in place, companies should:
- establish a procedure to terminate remotely working employees who have access to confidential information;
- ensure that all confidential information is delivered back to the company and that remote-access rights are revoked without delay; and
- remotely lock and safely recover company-issued computers and mobile phones that contain confidential information.
With many employees working remotely, office buildings may be sparsely populated.
To avoid unauthorised access to sensitive information, documents containing confidential information should be securely locked away.
An element of ‘community security’ – employees’ common-sense day-to-day surveillance – may currently be reduced, so increasing on-site security may be advisable.
Any companies sharing confidential information with third parties (eg suppliers and customers) must go beyond ‘reasonable measures’ to keep sensitive information confidential; it is mandatory to ensure that contractual partners have suitable protection measures in place.
Companies must make sure that contractual partners adapt to the increased trade-secret-related risks. If this cannot be ensured, access to confidential information should be restricted during the crisis.
The COVID-19 crisis poses a range of challenges for society, individuals and companies.
Businesses are under pressure to facilitate an efficient environment for their employees to work remotely from home should strive to continue protecting confidential information and critical know-how.
In fact, such protection should now be increased and adapted to the new circumstances to adequately address heightened security risks.
Once normality returns, failures during the crisis could have a negative impact on the future enforcement of trade secrets. Acting now is crucial.