Question: How would the FTC rule on noncompetes affect data security?
Jadee Hanson, CIO and CISO, Code42: The Federal Trade Commission's proposed rule grants employees well-deserved autonomy regarding where they work, and when. However, it also complicates the relationship between employer and employee when it comes to data ownership, and security teams need to be aware that, if passed, their employees could easily leave their company for a competitor, with sensitive data and intellectual property (IP) in tow.
One reason noncompetes exist is to keep company data and intellectual property from leaking to competitors. It's easy to verify when a former employee takes a new position with a competitor, but not so easy to know if that employee took company data with them. I would argue that companies should not be relying solely on noncompete agreements to keep their valuable IP safe — but their potential ban makes it even more important to have the proper data security in place.
Organizations should incorporate technologies and processes that can identify risky file movements without inhibiting the organization's collaborative culture and employee productivity. They need technology that can see movement across a variety of cloud applications, automate security alerts, and prioritize insider risk concerns. Today, data is highly portable, and users are doing their jobs off the company network — greatly decreasing security's visibility into file movements. Potential risk indicators could include file movements made while users are off-hours, changing file extensions, or having access to the files of a highly confidential project. Without technology providing the right visibility, it's nearly impossible for security to focus on the right protections and mitigate the overall data exposure risk.
There's an assortment of tools that business leaders can choose from, but the most effective data protection technology can tell the difference between trusted and untrusted locations and allows employees to openly collaborate. In particular, insider risk management tools allow you to monitor, filter, and prioritize risk events, detecting when files are moving to noncorporate locations, including personal devices and cloud storage solutions.
This being said, it's not solely about the tools. Security and HR teams should also be sure to define formal onboarding and offboarding policies for employees, proper data handling training, and processes to address insider risks as they are found. A good security culture starts with a security team that is willing to empower the entire organization to get its job done. Using a "trust but verify" approach allows leaders to facilitate positive, trusting relationships with employees, using monitoring tools to ensure they're only intervening when it's absolutely necessary. The way organizations manage the relationship between their security teams and the broader employee and user base has decisive effects on retention and the overall employee experience. If security, legal, and HR teams approach insider risk events in the same combative, and sometimes hostile, manner they do external threats, it can increase tension between themselves and the rest of the organization, sowing the seeds for a culture of distrust among employees.
At the end of the day, it's on every employee in the workforce to do their part in keeping the company secure, and creating a security-aware culture from the get-go is a great way to create this vigilance.
By embodying a security-focused attitude and having a holistic data protection program in place internally, security leaders can have peace of mind knowing that they're maintaining a positive work environment for their teams while also feeling confident that important competitive data is not leaving with employees.