Skip to content

Four ways to protect your company from insider attacks

By Elizabeth Ticehurst

 

Security is a huge company expense. Guards patrol buildings, virus protection software is installed, laptops encrypted and mobile phones tracked. Yet a hard truth can be forgotten – employees may pose the greatest risk for companies. Protecting intellectual property and confidential information requires safeguards from misuse and theft by the very people who need to access these to complete their work.

 

A VERY REAL RISK

A recent case highlights the extent of damage insiders can inflict. It concerned two senior employees who worked for Lifeplan, a provider of investment products including funeral bonds and pre-paid funeral plans. The employees accessed confidential business and financial documents and used them to prepare a business concept plan, which they presented to Foresters, a direct competitor. They then copied a confidential database containing hundreds of funeral directors’ contact details, contracts, marketing and administration documents, and began approaching funeral directors to solicit business for Foresters while still employed by Lifeplan.

After the two joined Foresters, their funeral products business increased gross income by more than $22 million in two years. In the same period, Lifeplan’s business took a severe downturn and experienced losses of more than $20 million. Lifeplan took legal action against the two employees as well as Foresters, claiming they had breached their fiduciary duties as senior employees, and that they had breached Corporations Law provisions prohibiting the misuse of confidential information. Foresters was alleged to have “knowingly assisted” in those breaches. The case was appealed all the way to the High Court, which ordered that Foresters must pay the total value of its funeral products business (then worth more than $14 million) to Lifeplan.

 

KEEP YOUR BUSINESS SAFE

This case is not an isolated example. Clearly, an absence of oversight and a clear opportunity can prove a temptation too great to ignore for some employees. What then, can an employer do to protect themselves?

  • Written agreements. The first step, from a legal point of view, is to ensure that employees have signed a formal written employment contract with contractual obligations to protect confidential information. Surprisingly, it is not unusual even today to find senior employees who have no written employment contract! Small businesses or family-run companies often rely on a verbal agreement or a single sheet of paper to set out the terms of an employment contract. It is important to remember that while a properly prepared contract seems expensive, it can save a lot of money and legal difficulties in the long term.
  • Strong policies. Next, implement policies to control the primary ways confidential information is accessed and used. In most organisations, information is held electronically and employees access information through the company’s intranet, email and telecommunications systems. It is important therefore, to have a company devices policy covering IT and telecommunications systems and to provide compliance training. For example, the policy can state that certain information must not be downloaded on mobile storage devices such as flash drives. Policies should also alert employees that the company has the right to view all of their activity using company devices and systems.
  • Electronic monitoring. From a practical point of view, some degree of electronic monitoring will be required to enforce the company’s policy. For some organisations, such as banks, continuous monitoring is required, while other companies with limited resources will only need this periodically. Best practice is to direct monitoring to the times of greatest risk, such as when an employee is under notice and will shortly leave the company. Suspicious activity such as printing abnormally large volumes of documents, downloading information onto flash drives, or emails from a work account to a private one, should also trigger employee monitoring.
  • Legal action. Finally, even if the damage is discovered after the employee has left, all is not lost. Legal action can be taken to recover or stop a former employee from using confidential information, or to stop their new employer from taking advantage of it. However, as with most legal problems, prevention is better than cure.

Elizabeth Ticehurst is Special Counsel – Employment at KPMG

Office Closure

Thank you for visiting our website.
Please note during the holiday season our offices will be closed from the 22nd of December 2023 to the 2nd of January 2024.

For all enquires please refer to the contact us section of the website.