Let's talk digital
What risks are today's organisations facing?
This is the question asked at SA Law’s recent “Let’s talk digital” event at the Institute of Directors in London. Panellists Chris Cook (Employment), Vanessa Crawley (Corporate), Mike Lewis (Property litigation) and Simon Walsh (Dispute Resolution) touched on a wide range of challenges, and highlighted how a proactive approach to policies and procedures can make all the difference. Taken directly from the event, here are some key digital risks to bear in mind, and the solutions that keep them in check.
As you read them, bear in mind the essence of digital risk: it’s not technology that creates the challenge, but how people use it.
Know who you’re connecting to
The growth of LinkedIn means more and more of our business connections are made electronically rather than face to face. Naturally, this is open to abuse. Not only has it become a key channel for criminal activities such as phishing and fraud, it has also increased the risk of corporate espionage. For example, a business creates a fake LinkedIn recruitment profile to encourage employees from competitors to talk about confidential projects. Now is the time to pay much closer attention to due diligence, and carry out proactive checks to ensure people are who they say they are.
Cyber crime isn’t just an IT issue
Information breaches make big headlines, with more and more organisations suffering lost revenue, reputational damage, and (from May 2018) fines that could soon amount to 4% of your global turnover if the stolen information relates to customers or colleagues. Over recent years, cyber security strategies have shifted towards the ‘human factor’, because one misplaced employee click on a phishing link or file attachment could be all it takes to compromise your digital security. Today’s organisations need a clear IT equipment ‘acceptable use’ policy, and a focused education and awareness programme that teaches the risks.
Information security in an agile world
Confidential information is also under threat from the increased prevalence of agile working at home, and in public places such as coffee shops and airport lounges. For example, are your employees aware of the risks of connecting their work devices to unsecured public Wi-Fi? Do they know not to talk about valuable information where they can be overheard, or work on valuable documents where their screen can be seen? Again, a clear acceptable use policy and information security training should be mandatory for all employees, with extra measures for those that handle customer or employee information.
A flexible workforce may need a flexible approach to property
Agile working is changing the way organisations view their office space, with many moving from a traditional ‘fixed desk’ approach to hot desking. Agile working also prompts the question of how much space you actually need if only a proportion of your workforce is present at any one time. This has led to flexible approaches to leasing, and the growing desk rental sector that uses the Airbnb model to help organisations capitalise on unused space. If you’re thinking of doing this, make sure you have procedures in place to prevent third parties gaining access to your confidential information, whether through overheard conversations, information displayed on monitors, or water-cooler chats with your employees.
Social media and the value of information
Another rising trend is employees who leak confidential information online, often because they either don’t understand the value or sensitivity of information they handle, or simply fail to realise that everything they post on social media is publicly accessible. Information security and social media policies are essential for most organisations, alongside awareness training about the risks of social media. Employees will find this extremely beneficial for their personal lives too, as the rise in identity theft and fraud is partly fuelled by a tendency to share too much personal information online.
Who are your leavers connected to?
Online networking services such as LinkedIn are causing a headache for organisations when it comes to leavers. Employment contracts for key staff may include restrictive covenants that prevent them from contacting clients for a set period after they leave, which includes contact though social media. The tip here is to make sure new joiners are aware of their restrictive covenants, and remind them in formal exit interviews before they leave. Some organisations encourage new joiners to start a company LinkedIn account, which is deactivated on departure.
Know your intellectual property
Bear in mind that the way you sell your product or service could be more valuable than the product or service itself. Many commercial models focus on identifying new technology-driven ways to deliver traditional goods and services, in which case your intellectual property is the innovative way your business uses technology. The confidentiality clauses of employment contracts should reflect this. Make sure leavers are clear about the know-how they can and can’t take to their new employer.
Be clear about employee use of consumer devices and services
With such a wide choice of technology, people tend to develop their own unique way of working and communicating. However, organisations need to bear in mind that many consumer devices and services (for example, email and file sharing) don’t provide the same level of security as those built specifically for commercial purposes. Make sure your acceptable use policy states which devices and services are authorised for commercial use, and the stipulations that employees must meet if your organisation has introduced a ‘bring your own device’ (BYOD) policy.
Backing-up can increase the value of your business
Malfunctioning technology is a fact of life, and there’s nothing new about experts urging you to back-up regularly to achieve a watertight electronic ‘paper trail.’ What you may not know is the vast range of ways that backing-up could help you, from proving your case in a contract or employment dispute, to greatly increasing the value of a company when you come to sell it. It might be a good time to review how you preserve your electronic (and paper) records. For example, archiving rather than deleting could end up to be a lifesaver.