An unprecedented number of employees are working remotely and this requires a major rethink of a company’s cybersecurity and IT policies to ensure ongoing protection of the company’s intellectual property and confidential information. To reduce the risk of potentially disastrous leaks of company intellectual property and confidential information, we strongly recommend companies implement a Virtual Private Network (VPN) for all remote employees, train employees in physically securing company devices, and ensure all company devices can be remotely wiped.
IssuesThe biggest issue stems from employees using outside networks to connect with company IT resources, i.e. residential and third party commercial networks found in homes, coffee shops, libraries, etc. This is a particular concern over public and unprotected Wi-Fi networks, where a bad actor can easily intercept any data sent over the network. It goes without saying, such a leak could be devastating for a company’s business. Another issue is a bad actor’s physical access to employee devices – laptops, cell phones, tablets, etc. Working remotely means significantly more of these devices will leave the office, making them easier targets for theft or hacking. Even a password protected device is not safe, as a bad actor can comprise a device only with access to the physical ports such as a USB, Thunderbolt, or FireWire port. A bad actor can potentially use these ports to bypass a device’s operating system (OS) and the OS’ security measures to install malicious software or copy data form the device. As well, many companies have begun using online meeting and teleconference services so their employees can collaborate but this also may cause leaks intellectual property and confidential information. Some online meeting and teleconference services allow users to record the meeting and upload the recording to cloud storage. Further, some services can transcribe these recordings to provide written transcripts of a meeting. In addition to the risk a recording or transcript may be released in a data breach, storage of these items in overseas servers may violate United States’ export control laws depending on the contents of the recording. Finally, and perhaps most critically, it can be difficult to fully track what parties are included in an online meeting or if any other parties have access to the meeting, particularly with services which allow different types of users at once, i.e. some users may be using video conferencing on a laptop, other users may be calling in on a telephone, etc.
How to Protect Your IPSimilar to the social distancing and shelter-in-place polices enacted around the world to reduce a population’s exposure to the SARS-C0V-2 virus, a company’s first line of defense for its confidential information and non-public intellectual property is to keep it “quarantined” on company servers in company offices unless there is a legitimate need for access outside of the office. This can be achieved in number of ways, such as user access controls which limit access to authorized individuals or by physically removing network access to a device with such information. Finally, companies should forbid employees from using third party cloud storage services, such as Dropbox or Google Drive, for storing or sharing company files. So what if an employee needs access outside of the office? A virtual private network (VPN) is an absolute must. A VPN encrypts all data sent and received between a company server and an employee’s device. Even if a bad actor can intercept an employee’s network connection over public Wi-Fi or an unprotected home network, the encrypted data will be useless without the correct encryption key. Another strongly recommended solution is to use a remote computer setup, such as Microsoft’s Remote Desktop Service (RDS). This allows an employee to remotely access a company computer without actually saving any data locally on the employee’s computer, reducing the risk confidential or IP protected data will be stolen. To protect against theft and physical access attacks, all employee devices should have the option to be remotely wiped, i.e. all of the data on a device can be deleted remotely. Further, an employee can install locking port covers to prevent physical access to a device’s external ports. And as a general tip, companies should instruct employees to keep all company devices in secure locations and to not leave devices unattended in public locations or easily accessed locations, such as on the seat of a car. For teleconferences services, the meeting host should be well aware of the particular services’ privacy and confidentiality settings, and ensure the service is set to collect and save as little meeting information and personal information as possible. The host should also set up as many safeguards as a meeting allows – such as applying password protection, using a “waiting room,” a feature that allows the host to approve users to join a meeting. This feature will only work, however, if he users are joining from recognizable connections A company also should require all employees to only conduct meetings in private locations to avoid any third party snooping and to disable any home smart devices, such as cloud based personal assistants, smart televisions, etc., which might record and remotely store audio from a meeting.
ConclusionA company’s confidential information and intellectual property can be one of its most valuable assets and protecting it is essential to a company’s success. The above measures will help ensure these assets are protected, but only if they are actually implemented and enforced. In addition to enacting these measures, a company should ensure all employees are aware of these measures along with why the company is using them and the consequences of not following them, otherwise an employee may simply write these off as annoyances which slow down their work. Much like preventing the spread of COVID-19, a company’s confidential information and intellectual property should be “quarantined” from outside networks as much as possible, and when not, proper protection must be in place. These precautions can allow a company’s business to continue with minimal interruption in these extraordinary times.
Alexander T. Bara
Alexander T. Bara assists clients with patent and trademark prosecution. His patent experience encompasses both domestic and foreign prosecution in multiple technology areas, including mechanical, chemical, and electrical arts.