Should You Abandon Email to Protect Trade Secrets?

In the wake of the hacking of the Democratic National Committee’s email server, it may be time to explore whether transmitting trade secrets via email—even internally—has become too risky.

Email hacks have become commonplace. It is a virtual certainty that your company has at least been targeted by some sort of hacking attempt. For every high-profile hack, like Sony, Ashley Madison, or the DNC, there are thousands of less-visible companies who also suffered data breaches, often involving emails.

The sad truth is that regardless of protection efforts, no company can keep its emails and centrally stored electronic documents 100% safe. Thus, you need to ask: is it time for my company to ban transmittal of trade-secrets via email?

A wholesale ban on email transmission is not always going to be feasible. But for certain types of trade secrets—particularly ones used only by a small number of employees—this could be workable. For example, I wrote recently about trade-secrets relating to design schematics used in 3D printing. Those types of schematics could potentially be stored offline.

These issues are highly unique to each company. You should speak with an attorney who specializes in trade-secret issues to figure out whether your company could benefit from taking trade-secrets offline.

 

Find a Pokemon, Lose Your Trade Secrets?

Well, that escalated quickly. In what seems like an instant, Pokemon went from a faded memory to an all-encompassing craze unlike anything we’ve seen before from an app. Nintendo, the company behind Pokemon Go, had its market cap increase by $7 billion since it was released last week. I haven’t played the game, but I can’t stop hearing and reading about it. Pretty remarkable.

Pokemon Go’s success has far-reaching implications for how we use technology, and in particular augmented reality. I loved this article about how companies can use Pokemon Go to drive foot traffic for about $1/hour. But for our purposes, Pokemon Go may present some unexpected risks to information security.

This article from inc. discusses two of these risks. First,  Pokemon Go users must login using their Google accounts. But Pokemon Go is then automatically granted full access to the user’s Google account. Thus, Pokemon Go “can see and modify nearly all information in your Google Account.” So, as noted in this blog post, users playing Pokemon Go have granted the app permission to read their emails, send emails, access and delete all Google drive documents, and more. Not good. Particularly if your employees have emailed themselves proprietary information.

The developer of Pokemon Go has since issued a statement that this was a mistake, which will soon be fixed. Regardless, this shows how important it is to keep your employees from sending themselves proprietary information, which should be your company’s policy. In addition, various IT solutions can protect against this practice.

Also, Pokemon Go has only been officially released in several countries. Per the inc. article, people living elsewhere have turned to file-sharing services to download the app:

Because the game is popular, people in other countries are obtaining the Android version through unofficial channels – and hackers have already successfully posted malware-infected versions of the app in some file sharing services. One variant of such a malevolent version of the app was discovered by the security firm Proofpoint and is quite serious: it infects Android devices and allows hackers to access the infected devices via a backdoor.

File-sharing services are notoriously dangerous. You should be blocking access to all such services on all company devices.

Issues like these are well-suited for employee training. Employees need to know that seemingly innocent conduct can expose the company to serious risks.

%d bloggers like this: