Editor's note: The following is a guest article from Steven Kursh, president of Software Analysis Group, and Pratike Patel, senior consultant with Software Analysis Group.
The COVID-19 outbreak accelerated the growth of work from home at many enterprises. Given that many employees are choosing to remain working remotely on at least a part-time basis, CIOs need to reassess and update their policies and practices regarding the protection of intellectual property, particularly trade secrets.
The phrase commonly used in regards to trade secrets is "reasonable measures." While certainly under the umbrella of security practices to protect against hacking and malware, reasonable measures to protect trade secrets often involve different, albeit related, objectives.
CIOs face the dilemma of choosing which reasonable measures to adopt, since such policies and practices can be costly and create unnecessary constraints for employees, customers and other stakeholders. Obviously, no one wants their organization to devote the time, money and other resources to working with legal counsel to litigate misappropriation of trade secrets. Prevention is the preferred alternative.
Keep in mind that trade secrets cover critical assets for the company. Customer lists, know-how, and importantly, for software companies, user-facing software components, including features, functions, architecture, design, workflows, and processes, could constitute trade secrets.
Additionally, combinations of characteristics and components may be trade secrets, even if some or all of those components are individually in the public domain.
Here are some suggestions regarding reasonable measures for CIOs to consider:
1. Implement measures that go above and beyond normal business operations
Technologies and practices such as virus software, malware software, operating system security updates, firewalls and secure passwords are necessary.
A significant percentage of trade secret misappropriation happens with insiders – employees, whether present or previous, suppliers, customers, and third-party contractors who have password-protected access to company systems, and others who acquire improper access to the systems.
Consider adopting measures that protect the company from each of these groups. Protection against hacking and malware is necessary, but not sufficient.
2. Working with legal counsel, create a set of documents that provide a head start when negotiating with stakeholders
This includes NDAs, subscription and/or license agreements, and other agreements that counsel deems necessary for prospective business partners, subscribers (i.e., customers), reviewers, and others.
3. Develop, implement and update internally-driven procedures for employees, independent contractors, suppliers and others
Consider having NDAs, employee training, employee handbooks, periodic training and exit interviews for all employees with similar procedures for contractors and others exposed to trade secrets. Here again, legal counsel can be of help with document templates and preparation.
Consider as well equipment that employees use at home. Such equipment should be managed in ways that are closely similar to what is done at the office. For example, at-home equipment should have access to up-to-date security patches, virus updates and security settings such as automatic screen saver with password protection due to inactivity.
Employees needing to connect to the office should use VPN technologies whenever possible. We recommend that policies and practices be implemented to ensure WiFi connections from home are secure. Employees should generally not access company resources from public WiFi connections, such as those at coffee shops.
With the increased use of mobile devices, including personal devices becoming more prevalent "BYOD," CIOs need to protect trade secrets on these types of devices similar to how they are expected with computers.
Employees and other people with access to trade secrets rely on apps on these devices as much as a computer to perform their work regardless of where they are. Traditional desktop business applications such as Microsoft Office and Adobe Creative Cloud are on tablets and phones.
Mobile device management (MDM) software allows enterprises to configure smart phones and tablets so that they are secure. MDM has become sufficiently mainstream for some companies that iOS and Android have native support for it. Alternatively, techniques such as sandboxing applications can keep a company's data secure while recognizing the realities of today's BYOD movement.
Offboarding practices must also include collecting relevant equipment from former employees.
Ensuring that meetings and presentations done virtually using video conferencing technologies such as Zoom require additional safeguards such as using meeting unique IDs, passwords waiting rooms and disabling recordings.
4. Develop, implement and update externally-driven procedures
Technical controls may be important because they involve they use of role-based access that ensures only the minimum information necessary is provided within a limited timeframe. These controls may need to be reviewed periodically, and updated as necessary.
5. Consider consolidating activities across all their systems to track website activity
The tracking should be not just the SaaS site if in the software business, but logs to software and underlying code as well as design information and other kinds of records that have activity logging capabilities.
Unusual user activity such as multiple logins from the same account in disparate geographic locations, accessing a large number of files in a small period of time and multiple failed attempts to access resources that the user does not have permissions to use may be red flags requiring investigation.
6. It's critical to recognize that the company is facing a moving target and must constantly reassess reasonable measures and make improvements
Vigilance is key and throughout the process the company should have a risk management perspective. The job is never done.