Protecting business interests in a hybrid world
Working remotely combined with “The Great Resignation” has raised questions about how employers can best protect their business interests in this new world of work.
Rewind a few years and most employees were physically attending the workplace every day, which in turn made it easier for employers to monitor the work being carried out by their employees and ensure that confidential files were locked away safely. In addition, when an employee left the workplace, employers arguably had more visibility on what the employee was taking with them from the office. With the increase in hybrid working, employers no longer have the same oversight in relation to confidential information, leaving them increasingly vulnerable to data leaks and security breaches as well as to poaching of key members of staff.
This article covers some of the key considerations that employers should have in mind in order to protect their business interests in a post-pandemic world. It also suggests some practical steps that organisations can take to address any vulnerabilities and security risks associated with emerging hybrid working models.
There has been a significant increase in the number of cyber-attacks since the start of the COVID-19 pandemic, with the UK Government reporting in 2021 that 39% of businesses had suffered a breach in cyber security during the previous year. This is unsurprising given the meteoric rise in the use of technology to assist with remote working practices – particularly as an employee’s home is beyond the realms of secure office networks that ordinarily offer additional protection. IT breaches not only have serious impacts on an organisation both financially and reputationally, but also on its day-to-day operations. It is therefore crucial that employers take proactive steps to guard against phishing attacks and to ensure continuity of service to clients whilst preserving client confidentiality.
First and foremost, it is crucial that employers invest in the correct technology and implement up-to-date anti-virus software. Employers should use their best efforts to issue encrypted devices and adopt remote mobile device management so that that the employee’s device can be wiped in the event that it is lost or stolen. VPN severs can also assist with securing data when employees work from home. However it is important to remember that technology alone cannot safeguard against all cyber-attacks – human error is a huge factor. Therefore, regular employee training is essential so that staff are able to recognise and evade possible phishing attempts. Employees should also be reminded that, where possible, they should avoid using less secure public cloud-based networks as this may leave the company susceptible to data breaches.
Employers should also consider their practice around employees using their own devices at work. Many employers currently allow employees to use their own smartphones, laptops, or tablets for work purposes either during the working day or after hours. This practice of allowing employees to use their own devices increases the risk of a data breach and employers need to consider how they will record and keep track of the devices used to access company data and confidential information, what security measures will be (or can be) installed on employees’ personal devices, what steps need to be taken if a device is lost or stolen and whether an employee will be required to return their personal device to the employer for wiping when their employment ends. Employers should put in place clear policies and rules around using personal devices to undertake company work and conduct an assessment across its business to understand if it is really necessary to have such practice or whether it is easier and safer for the business to buy and provide company IT equipment to its employees.
According to one report, 56% of IT workers believe that employees have acquired bad security habits whilst working from home. With a combination of home and office working becoming the new norm, employees are more frequently transporting documents between several locations, therefore increasing the opportunity for data to be misplaced or intercepted. An example being an employee accidently leaving confidential documents on a train or in a café. As well as this, employers who may have a ‘clear desk’ policy in the office are unable to properly enforce this when employees are working from home. The inability to properly monitor document security creates information security concerns, particularly if the employee is sharing a workspace with others or has a family member who is working for a competitor.
Communicating a clear policy and providing mandatory training to employees may reduce these risks. For example, issuing regular reminders will assist with ensuring that information security remains at the forefront of employees’ minds. In particular, employees should be reminded to lock away work documents at home and a ‘clear desk’ policy should still apply irrespective of location. Employers should consider how their existing policies can be adapted to working from home. Similarly, employees should be made aware of and/or reminded of the risks of leaving confidential information on display in public places such as trains or cafés.
Employers should also consider providing access to shredders so that their staff are able to destroy and dispose of documents in a confidential way. Another idea for employers to think about is to arrange for periodic collection of hard copy documents and materials from employees’ homes so the employer is confident that these materials have been properly disposed of.
Return of property on termination of employment
With some stating that the “Great Resignation” is in full swing in response to the COVID-19 pandemic, employers may see an increase in employee turnover. With this trend comes the need to minimise the risk that departing employees take sensitive information with them.
Whilst there is an implied duty of confidentiality, it is limited and ideally employers should put in place additional contractual protection. Express terms in the employee’s contract covering the return of company property on termination of employment should ensure that all materials obtained throughout the course of employment are returned to the company. For example, computers, mobiles, hard drives, company credit cards, office passes, hard copy documents – the list goes on. The consequences of not complying with this should also be made clear to employees.
Another practical step includes implementing policies to limit employee access to systems and sensitive data as soon as they resign. Employers may wish to utilise garden leave at the point of resignation (checking that they have the contractual right to do so within the employee’s contract first) and removing access to systems and collecting hard copy documents shortly after garden leave commences to minimise risks of employees copying confidential documents.
Arguably, the pandemic has in some ways made restrictive covenants harder for employers to enforce.
Many employers will define “restricted customers” or “restricted employees” as those businesses or individuals that the employee had material contact or involvement with over the last 12 months. If the employee has been on furlough leave or working reduced hours due to the pandemic, this may reduce the group of restricted customers or restricted employees covered by the restriction. This means that customers or employees that the employee had an existing relationship with prior to furlough or reduced hours are not protected and the employee could be free to solicit or poach them.
While an employee has been on furlough leave, was another employee looking after the customer relationship? Does that employee have appropriate restrictions within their contract? Employers may need to undertake a review or audit of the post-termination restrictions they have in place with their workforce and consider whether they are still appropriate this side of the pandemic.
Employers should remember that enforceability of restrictive covenants is assessed at the point in time when the restrictions were signed up to by the employee. Employers should check that restrictive covenants in place with employees are still relevant, appropriate and proportionate and update restrictions where necessary providing relevant financial consideration for any new covenants that are entered into with the employee.
Whilst many organisations continue to take advantage of the various benefits that come with hybrid working models, they should ensure that this is not to the detriment of their information security and business protection. It is essential that employers develop a strategy to properly protect their business interests that is fit for the ever changing world of work.
Link to article