Tech misuse falls into three categories that can actually harm your business.
Security breaches. Your VA saves client data to a personal Google Drive. They share login credentials with a friend. They work from a coffee shop on public WiFi while accessing your payment processor.
Under Philippine law (RA 10173, the Data Privacy Act), this isn’t just careless. It’s a violation that can trigger breach notifications and penalties.
Time theft and productivity fraud. Someone logs hours but doesn’t work. They run scripts to wiggle their mouse and fake “active” status. They claim 8 hours but deliver 2 hours of actual work.
Abuse of company resources. Installing unapproved software on work devices. Using company email for side businesses. Accessing your CRM to steal client lists for their own projects.
These behaviors can violate the Philippine Cybercrime Prevention Act and create serious liability.
Now here’s how to actually prevent each one.
Step 1: Set Up Proper Access Controls
Most tech misuse happens because access is too easy.
Use strong authentication everywhere. Require multi-factor authentication (MFA) for every tool that touches client data, payment systems, or sensitive information.
If someone’s device gets stolen or their password leaks, MFA is what stops unauthorized access.
Create role-based permissions. Not every team member needs access to everything.
Set up permissions so people can only see and do what their job requires. This limits damage if credentials get compromised.
Require VPN for sensitive systems. If someone needs to access systems with client data or financial information, require them to connect through a VPN first.
This encrypts their connection and prevents snooping on public networks.
Ban accessing sensitive systems from coffee shops, co-working spaces, or any public WiFi without VPN protection.
Use company-approved tools only. Create a list of approved tools and require everyone to use them.
Approved: Company email, designated password manager, official project tracker, company CRM.
Banned: Personal email for client files, personal cloud storage for work documents, unapproved messaging apps for client communication.
Put this in writing. Make sure everyone signs it.
Step 2: Implement Device Security Policies
The device your VA uses is a potential security hole.
Decide on company devices vs BYOD. If you provide the device, you control security. If they use their own (BYOD), you need agreements.
For BYOD, require:
- Work data stays in approved work apps only
- They must install approved security software
- You can remotely wipe the work partition if the device is lost
- Regular security updates must be installed
Get this in writing before they start work.
Require encrypted storage. Any device with access to client data must use full-disk encryption.
For Windows: BitLocker. For Mac: FileVault. For phones: built-in encryption enabled.
This protects data if the device is stolen.
Ban unauthorized software. Your VA cannot install software on work devices without approval.
No pirated software. No random browser extensions. No tools downloaded from sketchy websites.
Each unapproved installation is a potential malware entry point.
Step 3: Create Clear Data Handling Rules
Most VAs don’t know they’re mishandling data. They think they’re being efficient.
Define what data can and cannot be stored locally. Client names, email addresses, payment information, project files with sensitive content cannot be saved to personal devices or personal cloud accounts.
Everything stays in the approved company systems.
Require data deletion at project end. When a project wraps or a VA’s contract ends, they must confirm in writing that all local copies of client data have been deleted.
Use NDAs with teeth. Every VA should sign a confidentiality agreement that survives contract termination.
It should explicitly state:
- Client data cannot be shared, copied, or reused
- No client information in portfolios without written permission
- Breach results in immediate termination and potential legal action
Make the consequences clear.
Train on what “confidential” actually means. Don’t assume people know.
Run a 15-minute training: Here’s what counts as confidential data. Here’s where it can be stored. Here’s what happens if you mishandle it.
Document who attended. Keep records.
Step 4: Set Up Smart Time Tracking
Time theft happens when tracking is either too invasive or too loose.
Use simple clock-in/clock-out systems. The best time tracking records when someone starts work, when they stop, and which project they’re working on.
That’s it.
No keystroke logging. No random screenshots. No webcam monitoring.
Track hours per project, not per minute. You don’t need to know what someone did at 2:47pm.
You need to know they worked 6 hours on the Johnson project and 2 hours on the Smith project.
ManagePH’s time tracking does exactly this. Simple clock in and out, automatic hours calculation, project-level tracking. No surveillance features that violate privacy guidelines.
Make time data visible to the worker. Your time tracking system should let VAs see their own hours, review their entries, and request corrections if something’s wrong.
Transparency reduces disputes and builds trust.
Step 5: Use Daily Recaps
The best way to prevent time theft isn’t watching people work. It’s making work visible.
Require end-of-day standup submissions. At the end of each work session, your VA submits a quick recap:
- What I completed today
- What I’m working on tomorrow
- Any blockers or issues
This takes 5 minutes to write and gives you complete visibility into productivity.
If someone is faking hours, it shows up immediately when they can’t describe what they actually did.
Review patterns, not individual days. One short day isn’t a problem. A pattern of vague recaps with no concrete deliverables is.
Look for:
- Consistently vague descriptions (“worked on emails”)
- Hours that don’t match output
- Tasks that never seem to finish
- Blockers that are never resolved
These are red flags that someone isn’t actually working the hours they claim.
Step 6: Handle Incidents Properly
When you suspect misuse, don’t panic. Follow a process.
Investigate with system logs, not surveillance. If you think someone is stealing time or mishandling data, check:
- Time tracking logs (when they clocked in and out)
- System access logs (what they accessed and when)
- Invoice submission history
- Recap submissions
- File access records
These logs tell you what actually happened without spying on the person.
Revoke access immediately if needed. If you confirm serious misuse (data theft, credential sharing, fraud), revoke all access right away.
Lock their accounts. Rotate any passwords or credentials they had access to. Document everything.
Follow your own policies. If your policy says “violation results in immediate termination,” follow through.
If it says “first violation is a warning,” don’t skip to termination.
Consistency protects you legally.
Conduct exit procedures properly. When someone leaves (fired or resigned):
- Revoke all system access within 24 hours
- Require written confirmation they’ve deleted local data copies
- Retrieve any company devices or equipment
- Document the offboarding checklist
Keep records for the retention period specified in your policy.
What Actually Prevents Misuse
Here’s what nobody says out loud.
Most tech misuse isn’t malicious. It’s accidental, born from unclear expectations or inadequate systems.
The best prevention is:
Clear policies.
Automatic accountability.
Proportionate oversight.
Build systems that make misuse hard and accountability easy.
That’s how you actually prevent problems.