In the modern world, information is money and business is increasingly reliant on commercially sensitive information staying confidential. However, employees (and contractors) leaving for new pastures can be tempted to take confidential information with them whether it be client details, pricing and margin information, marketing information or strategic plans. There are a number of steps that can be taken to reduce this risk:
- Have a clear employment agreement which contractually protects the status of confidential information.
- Establish and implement relevant policies. Fleshing out confidential information obligations involves not only preparing relevant policies but educating the workforce about those policies and ensuring employees understand and acknowledge those policies and also conducting refresher updates. Put another way, tell the employee regularly what your expectations and rules are. With reasonable notice, policies can adjust to changing issues such as the use of personal devices to create company data, using consumer file sharing applications and working from home.
- Keep information in a structured way. It is important to know what you know, so information should be kept in a structured way, whether electronically or in paper form and a list of the most important types and locations of confidential information should be kept.
- Keep permissions tight. Data access permissions should be structured and limited to necessary people. Just as “loose lips sink ships”, a lax approach to data access restrictions can have disastrous consequences. Cloud based applications require special vigilance and keeping a spreadsheet that lists every employee’s access, tools and apps can help.
- Be vigilant. It is important to have tools to monitor data access including establishing alerts for activity at odd hours or the transfer of unusual amounts of data or large attachments being sent to personal email addresses. If certain employees are showing signs of dissatisfaction, some increased monitoring may also be advisable.
- Prepare to respond. Have contingency plans in place that are pro active and reactive. Pro active action to reduce access may be required if an employee is working out their notice period or increased monitoring of data usage may be sufficient. This extends to something as basic as keeping an eye on photocopying activities. Reactive action may be required if there is a breach of data security and a plan should be in place to stop the breach from continuing and identify where the data has gone. This may involve both electronic steps and contacting the employee directly. In some situations, legal action may be necessary to recover information taken without permission.
The unfortunate reality is that it is usually too late once confidential information has left the building and it can be difficult to undo damage. Given that confidential information is often a core business asset, paying attention to the ongoing security of that information will pay dividends.
This article is based on an article published by our friends at IT experts, Country Consulting and we gratefully acknowledge their input and permission to publish this information. Please contact us if you would like further information or help.