What to Do When Your Trusted Employees Defect to the Competition

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.amerisurv.com/content/view/14012/

In today's competitive global market, managers know that employees
(including really valuable ones) are likely to change jobs every few years
or so. Like it or not, employee mobility has just become a fact of life.
But even worse than the cost of recruiting someone new to fill the vacancy
when a key employee leaves, there's one big, looming worry that's sure to
ratchet your anxiety up to critical levels: "She knows everything!"

The fear of an ex-employee sharing your vital secrets with her new employer
is, indeed, a well-founded one. In the hands of the competition,
information about your products, processes, strategies, and client base can
dull your competitive edge and hurt profitability at a time when every
penny counts. Sometimes, James Pooley says, it can even bring down a
company.

"For employers whose main capital base is intangibles like goodwill or
know-how, the thought of losing employees who have access to information
assets is an absolute nightmare," agrees Pooley, author of Secrets:
Managing Information Assets in the Age of Cyberespionage (Verus Press,
2015, ISBN: 978-0-9963910-0-9, $24.97). "After all, HR can get back a
departing employee's keys and laptop—but they can do nothing to remove the
valuable knowledge in his or her head.

"At the extreme end, situations like this can threaten a corporate empire,"
he adds. "For example, when an executive with knowledge of the Thomas'
English Muffins 'nooks and crannies' recipe left to join a competitor, he
was stopped by a court. Every business, whether or not it has a 'secret
recipe' or highly specialized technology, almost certainly has information
that gives it a competitive advantage, and it usually has to be shared with
employees who may not be around tomorrow. The good news is there are ways
to mitigate the risk."

Having recently completed a five-year term as deputy director general at
the World Intellectual Property Organization in Geneva, where he was
responsible for management of the international patent system (PCT), Pooley
is an expert in the fields of intellectual property, trade secrets, and
data security. Secrets, which explains how to recognize and mitigate the
risk of information loss that's so prevalent in our hyperconnected world,
is a must-have guide for executives and managers, knowledge workers,
consultants, security professionals, entrepreneurs, investors, lawyers, and
accountants—anyone and everyone who works with information.

Here, Pooley shares nine ways for employers to minimize the risk associated
with departing employees:

Realize that no one––not even your protégés––will stay forever. One mistake
leaders often make is assuming that, because of either loyalty or
gratitude, the employees they've trained and closely mentored will stick
around indefinitely. But the truth is that all employees—even protégés—come
and go. And if care isn't taken to prevent it, they can leave with
sensitive information.

"Many years ago, a client complained to me about an employee who left his
company after he 'taught him everything he knew,'" Pooley recalls. "My
client was caught off guard—he expected that the employee's gratitude for
teaching him the business would fuel a permanent loyalty. In the real
world, and especially the business world, it rarely works out that way."

Know what the law does—and doesn't––protect. The law protects only trade
secrets, not employee skill or general knowledge—but what's the difference?
The skill a worker acquires practicing her craft over time is hers to keep.
The same thing may also apply to techniques and information she has learned
over the course of her employment. However, if any of those techniques or
pieces of information give her employer a competitive advantage, are not
generally known, and are safeguarded to a reasonable degree by the company,
they are likely to be considered trade secrets.

"If that explanation sounds confusing or open to interpretation, that's
because it is," says Pooley. "Trade secrets can range from unique processes
for creating goods—such as the legendary Coca-Cola formula—to seemingly
inconsequential details, such as a key client's favorite wine. There simply
is no hard-and-fast distinction between these types of assets. However, if
a piece of information—no matter how minute—is privately held and gives
your particular company an edge over the competition, chances are the law
will treat it as a trade secret."

Clearly convey your expectations to job seekers. Applicants probably aren't
thinking much about trade secrets, but it's still a good idea to be clear
about your expectation that they will not bring with them information that
could get you in trouble. A pre-employment interview agreement that spells
out what prospective employees can and can't use or disclose from their
previous jobs is an indispensable precaution against inadvertent
information theft.

"Make it abundantly clear to new recruits that their previous employers'
private information must stay private," Pooley recommends. "Promoting a
culture of respect for others' information rights reduces the chances of
becoming involved in costly legal battles. Remind workers that there are no
advantages to bringing competitors' trade secrets with them, only risks."

Proactively re-recruit your best knowledge workers. Of course, the best
information retention strategy is also an employee retention strategy: Hold
on to your key people whenever possible. Proactively incentivize them to
stay with your company by ensuring that they remain happy, appreciated, and
well compensated. Yet also keep in mind that money usually isn't the
primary driver for loyalty.

"Happily for business owners, research has consistently shown that creative
employees are driven by factors other than money," Pooley confirms. "The
motivation to innovate—and to stay put while doing so—can come from a
desire for personal recognition, intellectual curiosity, and even the wish
to advance the interests of the company or the industry. If an employee
produces a valuable idea or invention, make it known. Focusing on ways to
keep the talent happy will almost always lead to better outcomes for your
business."

Take advantage of nondisclosure agreements. As their name suggests, these
documents legally bind employees not to share certain information assets
(often trade secrets). Employees are less likely to compromise confidential
information when they know it's of such importance that the company has
tied it to a document. Likewise, competitors are less likely to encourage
new employees to divulge information acquired from previous employers if a
nondisclosure agreement exists.

"Anyone who might have access to your trade secrets should sign an NDA at
the beginning of the relationship," Pooley advises. "For new employees, the
best practice is to provide a copy of the agreement to review and sign
before the first day of work. This will eliminate any question of whether
the agreement was signed voluntarily, and whether adequate 'consideration'
was given in return for the employee's promise."

Use noncompete agreements with care. Increasingly unpopular with judges
(not to mention employees), noncompete agreements can be expensive to
enforce and sometimes backfire. The terms of this kind of agreement can
range from compensating workers for not seeking employment with any
competitor to simply prohibiting competing for a certain period of time
within a particular geographical area. (This is in contrast to
nondisclosure agreements, which allow ex-employees to continue working in
the field so long as the confidentiality of their former employer's trade
secrets is respected.)

"Noncompete agreements are controversial in comparison with NDAs," Pooley
comments. "Some suggest that they interfere with the advancement of
industry, because certain levels of growth and innovation are impossible to
reach when employees are restricted from moving freely between jobs. Judges
sometimes hesitate to enforce noncompetes because they impinge on the free
movement of labor. On top of all this, workers can easily perceive them as
roadblocks to the advancement of their careers, hurting company morale. In
general, it's best to find a balance between caution and fairness to
employees."

Be sure to directly address the digital risk. While departing employees
have always been able to take secrets with them, the chances of this
happening have increased dramatically for many companies in the digital
age. It's critical for employers to be aware of the particular risks posed
by employee-owned devices, the Cloud, file sharing, and more.

"It's likely that a 'social media mindset' is present in most of your
staff, meaning that they see information sharing as positive and normal,"
Pooley comments. "But what's acceptable in their personal lives can be very
dangerous in a business context. Technical controls like MDM (mobile device
management) and NBA (network behavior analysis) software do help, but
aren't sufficient on their own. The best way to mitigate the digital risk
is good old-fashioned people management. In addition to the other tactics
listed here, technology-specific training and messaging, as well as
enforcement that's visible, will reduce problems."

Take potential security breaches seriously. If you think one of your staff
may have violated your confidence, don't hesitate to determine what trade
secret information he regularly had access to and whether there is any
evidence of unauthorized access. Investigate whether the employee has
exhibited any unusual behavior such as excessive copying, downloading,
emailing, or erasing of records.

If permitted by company policy and law, make a copy of the employee's hard
drive. Review his files, emails, and telephone records to determine what
(if any) company information has been disclosed outside and, if so, to
whom. Only after gathering this information and consulting with legal
counsel should you confront the employee.

"Your main focus at this point should be discovering where the information
has gone, not prosecuting the worker," says Pooley. "The most important
thing is retrieving the property and preventing it from further
distribution. After that, legal counsel will advise you on how to proceed
with the employee issue."

Never skip the exit interview. Even with voluntary departures, it's
important to share your concerns and learn about the employee's plans. The
potential for harm isn't limited to "stolen" data—simple misunderstandings
can also lead to distracting, expensive litigation. If there is no reason
to believe that the departing employee has any intent to breach company
confidentiality, simply arrange a meeting to learn more about her decision
to leave and to reinforce your concerns and determination to protect the
organization's interests.

"It's possible that others may be involved, and a group departure is
inevitable," adds Pooley. "If this is the case, you should seek legal
advice as soon as possible to investigate and properly react to the threat
a mass exodus could represent."

          "Profitable secrets falling into the wrong hands really can spell
doom for a company—especially in a time when the vast majority of
information is shared across the global network of the Internet," Pooley
concludes. "It's essential for any organization that deals in information
to actively protect its intangible assets from the watchful eyes of
competitors. Fortunately, with responsible practices, secrecy is still
possible in the online age."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!