Virtual assistants have become a mainstay among start-ups, their cost effectiveness and convenience helping keep young and growing companies scrappy. I can have an assistant anywhere in the world with just about the same experience I'd have if she or he were right next to me. Save for one concern - security. My virtual assistant is going to open and answer my emails, reply to them as me and have access to documents. This assistant will be doing this from non-company off-site computers and devices. How do I maintain a strong level of security as our intellectual property begins to dominate the marketplace?
Our team at Bunny Inc is international, with presences in San Francisco, Tokyo, and Bogota. Much collaboration gets done virtually. So virtual assistants fit right into our work habits. My concern is that as we grow a virtual assistant will be tempted to use our intellectual property to his or her own benefit. To that end, I've put together these best security practices. They can scale with growth without jeopardizing trusted relationships.
Who To Pick As A Virtual Assistant (VA)
Trust contributes to security. No security protocol is foolproof. My choice of VA defends Bunny Inc's intellectual property (IP) as much as technological tools. Bunny Inc's growth stage also influences my choice of VA.
The virtual labor marketplace supports three distinct types of virtual assistants. First, the VAs on sites like Elance and Fiverr usually will be located in countries where US dollar buying power keeps my costs to around $5US per hour. Younger people in the West just out of primary education also populate these sites. But, with a good rate comes a price beyond the labor costs. On these sites, anyone can post an ad offering VA services without going through an interview and background check. Using un-vetted VAs creates a higher security risk, especially during innovative stages.
What's more, I spend more time managing people who are less experienced or who are still absorbing the nuances of business communications (this definitely includes young native English speakers). Remember, my VA responds to my emails as me. Young people often need coaching in business acumen.
Sites that specialize in providing VAs who get screened through a qualification and background check make up the next type. TaskRabbit fits this type; they offer VAs and also people who will do things like run errands. TastRabbit makes it easy to find a VA who is local. Or, I can choose someone from any location. Local VAs can be good and bad. I can set up regular meetings with a local VA which builds trust and clarity. But a local VA might have his or hear ear to the ground and be better informed about who might want to access our IP. Zirtual specializes in providing entrepreneurs experienced VAs. Each VA must go through a 9-step hiring process and then attend online courses. Zirtual trains their VAs to meet the specific needs of entrepreneurs. A web search will bring up many other businesses that vet their VAs as well.
The third kind of virtual assistant is one who is self-employed and has created her own business and own line of clients. A local search may bring up several independent VAs in your area. Their sites will look something like this VA's website from Santa Fe, NM. VAs also advertise their services in the Gigs section of Craigslist. Craigslist's fuzzy reputation aside, good VAs can be found there and there are ways to make sure you get an experienced one. Good independent VAs will provide a list of references and submit to a background check. They may be bonded too. The cost is more; the security is better. I also have the choice to get my VA bonded myself. Bonding an individual with no criminal background and a good credit history will cost around $600.
A self-employed VA with a diverse client base can be a good choice. A VA who is doing work for me, a medical practice, a CEO of a manufacturing firm and a college professor is much less likely to understand the information she has access to in a way where she would know how to market it, who to go to with it. If, on the other hand, a VA has a foothold in the start-up culture, that person will know more about where the 'bodies are buried' and who to go to with the corpses.
Maintaining Communication And Security Through Gmail
Gmail allows me to tie together any number of email addresses and have them managed from a single mailbox. I can even have my email attached to the Bunny Inc domain as one of my Gmail managed addresses. I can also use our Confluence collaboration tool with Gmail.
To share email access with your virtual assistant, I recommend using Gmail for the following reasons. I will have access to all the features needed to safely share my email account with my assistant. I can sign-in anywhere from any computer and read my email, including my assistant's responses. My assistant will be able to do the same as well.
Almost certainly, a VA will already be using Gmail. Gmail also keeps my passwords safe. When I connect my assistant's Gmail account to my own account the process operates through a series of email permissions. In the Gmail settings, I will use the "Grant Access To Your Account" feature to add my assistant's account information. She will then be able to send and receive email as me from her own account, with no need for me to give my passwords. Here is a video that will show how to set up mail delegation in more detail.
Even with a VA I will still have a lot of emails to manage. I will need to spend time reviewing my communications style with my VA and preferences for sorting and storing messages. This is why it's important to choose someone with a knowledge of business communication and acumen. At best my VA reduces my email load to about one-quarter of what otherwise I would have to read, sort and reply to (or not) on my own.
The Useful And The Improper Of Non-Disclosure and Non-Compete Agreements
The most important way my communications and documents stay secure, keeping my company's data and intellectual property safe, is to work with people I trust. First, I have to trust my virtual assistant. Of course, I am going to ask my virtual assistant to sign a Non-Disclosure Agreement (NDA) and a Non-Compete Agreement (NCA). What I won't do is create an NDA or NCA meant to intimidate. First, such a document fails at building trust between me and my virtual assistant. Second, an over-penalizing NDA or NCA would be almost unenforceable in my company's choice of legal venue.
As stated in our terms of service, California is the legal venue for all Bunny Inc's properties. This is the choice of venue for many tech companies like Facebook, eBay, and PayPal. Because of abuse of NDAs and NCAs back in the 1990s California courts now reject harsh agreements. A start-up for a website offering VAs, which recently received $2M in venture capital funding, does not as yet accept virtual assistants who live in California.
The part of an NDA or NCA agreement which enforces a penalty is called the Liquidate Damages Clause. A Liquidated Damages Clause sets a value on any unauthorized disclosure made by the signer, in this case, the VA. Since I cannot accurately value any information my company will have in the future, a Liquidate Damages Clause sets pre-determined value. According to court precedent, this value must be realistic. I cannot just set the damages at $1M unless I can prove that I could expect the exposure of Bunny Inc IP would reasonably be valued at $1m.
So I'll create an NDA and NCA with a $10k Liquidated Damages Clause at the outset of working with a VA. This is a far more enforceable value for any information a VA might expose, plus the agreement can be adjudicated by myself or any company officer in a small claims court. It presents a far more realistic agreement and one far more likely to make a VA think twice about disclosing information. Most important, I come across as cautious and reasonable. From the point of view of my VA, I gain his or her respect rather than intimidate. Besides, I'm not looking to intimidate someone who works for me; I'm looking to build trust and in return, earn trust.
As Bunny Inc grows I will adjust the NDAs and NCAs I use to realistically reflect the value of the information in the hands of my VA.
Apps And Tools That Help Protect Theft Of Intellectual Property
I have several options to reinforce data security and make theft tougher. One option, if it seems financially viable and wise, has my company provide a laptop for my VA. This will be considered once I feel I have a good rapport with my VA and feel he or she will be sticking around for awhile.
While there is no guarantee that my VA won't use another computer. I can send an inexpensive laptop and install monitoring software like InterGuard. Along with PC monitoring and web filtering, this software prevents screenshots.
There are other good options too. Websense Data Endpoint is another security software option which prevents screenshots along with providing other security features and tools like 'cut and paste' and print control. FileOpen is a document security program that also offers screen capture protection. Websense Data Endpoint focuses the most on preventing capture of information. It doesn't do the bigger monitoring job InterGuard does. FileOpen, with its digital rights features, would be the best choice for those who worry about data interception more than a VA stealing IP.
ContentGuard also protects documents and images from unauthorized eyes. I can send a PDF usable only by the intended recipient. My VA can't open it unless she has the code, and if she decides to forward it to an unintended recipient, the document will be inaccessible. Or if my VA needs to access the document on another computer, then ContentGuard sends a code and the document will only open on my VA's computer. If I don't want my VA to see the document, I use my private email address to send the security codes and email verification to the intended recipient. This is a good option for Confluence communications. I can have passcodes known only to myself and those working on a project with me. The best choice of security software options will depend on where your security interests lie.
Password protection is important so we use LastPass at Bunny Inc. This allows me to have one password to log into every website I use. The password for a particular site remains the same and stays encrypted within the LastPass app. I can give my VA access to sites with one supra-password without disclosing the password for any individual site. Other password managers like KeePass and 1Password do the same job of allowing people to share and protect passwords.
When To Bring A VA On As An Employee
Given that Bunny Inc has had an excellent start, both at attracting clients and good talent, at some point the downside of having a virtual Assistant will outweigh the downside of hiring a full-time assistant as an employee . The primary benefit of a VA is that our company pays only for the time needed. Plus, in the adventure of a new start-up only a certain kind of personality should endure the emotional turmoil first hand - one that needs little sleep, endures vast uncertainty cheerfully, and manages simultaneous crises competently. Close knit groups best endure the emotional ups and downs. The nature of a start-up can foster lots of rumors and feelings of impending doom for those unready to take the ride.
I anticipate several months from now Bunny Inc will have its bugs worked out of the Article Bunny beta product and perhaps by then I will need a full-time assistant. I can better manage computer security and track the work activity of an employed assistant.
Security's Last Line Of Defense
Just about every protection I can provide myself has a workaround. Screen capture prevention tools can be overcome by taking a picture of the computer screen with a phone, or even a method as primitive as writing the information down on a piece of paper. Even small tidbits of information can be valuable to my competitors.
Ultimately I need to trust my VA. The precautions in place serve as a platform on which everything from my intuition to my ability to choose a reliable assistant will be our IP's last line of defense.