Employees leave companies for many different reasons: corporate downsizing, poor performance, to move on to a better job, or a business closing. At most companies, it is the human resources department who takes the lead. The HR manager may ask for the employee’s company-provided laptop but that is usually as far as it goes when it comes to removing access to internal company data and networks as well as external cloud applications.
We are not saying that all employees are looking to steal information. It is true that if an employee is terminated for poor performance, they would be upset and may want to get back at the company by taking or destroying critical company data. Other employees may feel that information like customer records which were cultivated by them are their personal property and can be taken when they leave. Data loss can also be an unintended consequence of a company’s BYOD (Bring Your Own Device) policy.
The responsibility for the protection of your company’s electronic assets lies with you – the IT professional. The problem is that you are often the last one to learn of an employee’s departure and must scramble after the fact to secure all data, applications and networks to which the employee had access. It is critical to put a proactive IT plan in place to prevent the potential risk of data loss before and after an employee leaves.
Here are nine ways to protect your data and reduce corporate risk when an employee leaves your company.
1. Eliminate Access to the Employee’s Mailbox.
You would think that this would be completed even before the employee has left the HR manager’s office, but many companies do not block access to email until hours or days after an employee has gone. Especially if the employee has chosen to leave the company on their own.
If an employee is leaving voluntarily, they have most likely given their 2-week notice. As a member of the IT team, make sure that you are aware of this. Although the employee will still need access to their email and other files during that time, you can monitor their actions for any activities that are out of the ordinary. This might include forwarding large quantities of emails from their work mailbox to a personal email account or printing a large number of attached files.
If an employee is being asked to leave due to poor performance or corporate downsizing, be sure that your human resources department coordinates with you to confirm when the employee will be told that they no longer have their job. Eliminating access to their email (and other accounts) while they are meeting with their department head or the HR manager, will ensure that they are unable to access any last-minute files or data on their way out the door.
Whether an employee chooses to leave on their own or is asked to leave, a best practice is to make their email account available to their manager and forward all new incoming emails to that person as well. This will ensure that business continues uninterrupted and the manager can determine if the employee was using their work email for other activities.
2. Use Single Sign-On to Disable Access to Multiple Applications at Once.
The other component of IT management that is as critical as removing access to an employee’s mailbox is the use of a single sign-on system administered through Active Directory or a similar tool. This single sign-on is beneficial for an employee because they can access all of the applications and resources they need to do their job by only signing in once. On the other hand, it is also beneficial for you because you can deactivate a former employee in one single action and the access to all of their applications and other resources is immediately cut off.
3. Backup and Archive All Data.
While many companies already have company-wide data backup and archiving solutions in place – especially for email, they do not take into consideration the possibility that individuals or teams of employees might have storage solutions that are not approved by or unknown to the IT department.
A marketing department, for example, creates, stores and shares extremely large files to develop trade show graphics, high resolution printed collateral and other marketing materials. To enable the easy storage and transfer of these files between employees and outside vendors, marketing teams often use cloud storage tools like Dropbox which may be unknown to you and is never backed up on the corporate network.
An archiving solution takes data protection one step further with the ability to capture company data, store it indefinitely and protect it from employees attempting to change, steal, or delete content. However, remember that an employee who has been planning to gain access to company data for some time and has set up a separate, personal file syncing solution will be able to modify and delete data outside of the archive.
4. Determine If Data Access Can Be Limited to Individual Departments or Positions.
Strategies to protect a company’s electronic data should also be proactive and implemented company-wide with the development of information governance policies and procedures. Work with your executive management team to implement a set of IT policies which are given to every new employee. Consider the possibility of limiting access to on-premise and cloud applications, files, and networks to the individuals or departments who are required to work with them on a regular basis.
For example, the accounting team does not need access to the company’s future go-to-market plans. No one outside of human resources should have unlimited access to all employee salaries and benefits data. The engineering team does not need access to detailed customer data which can be found in the company’s CRM system or marketing automation tools.
5. Develop a List of Any External Cloud Applications or Websites an Employee Might Be Able to Access.
It is easy to develop a list of websites, applications, or other resources which are managed internally or endorsed by your company for employee use. These may include your company’s official corporate website and social media channels including LinkedIn, Facebook and Twitter. But, you may be unaware of all of the other tools used by a specific individual as part of their daily job requirements. A marketing specialist may have access to a separate Google Analytics account to report on the company’s website statistics. They may use a cloud-based graphic design tool or have set up online accounts for upcoming trade shows for which the company will participate.
Speak with the employee’s manager who will be much more familiar with the external tools used by their team. Create a master list of those tools for future reference. When the employee leaves, immediately transfer access to other team members and change all passwords.
6. Disable Company-Owned Mobile Devices and Wipe Personal Employee Devices.
The use of company-owned mobile devices as well as the BYOD (Bring Your Own Device) trend have caused considerable headaches for IT professionals. Whether a laptop or tablet is provided to an employee by your company or they use their own personal smartphone or laptop for work related activities, the use of Mobile Device Management (MDM) technology to access, manage and wipe those devices is essential.
- MDM for Company Owned Devices:
Any mobile device, whether it is a laptop, tablet or smartphone, which is provided to an employee when they start their job, is owned by the company. You have the right to wipe the device clean as soon as you are informed by HR that the employee will be leaving. The ability to do this remotely is critical since the device could be at a different office or the employee’s home. Since data back up and archiving solutions should already be in place, there should be no problem deleting the data on the device because it should be easily accessible elsewhere.
- MDM for Employee Owned Devices:
The use of employee owned devices for work related activities raises some legal and ethical concerns. On the one hand, you want employees to be productive and use the tools with which they feel most comfortable, but it is critical for you to control how business data is used, stored and shared on any personal device without interfering with private information or applications. And, do you even know how many employee-owned devices are being used company-wide? Employees are hesitant to let anyone within your organization search and gain access to their personal devices which may include things like private financial records, personal photos, health information or contact information for family and friends. Implementing an MDM solution which enables you to access and wipe only company data, but not personal data, is key. Employee education on how personal mobile devices will be managed by you and that you are looking out for their best interest is also a critical component.
7. Monitor All Applications, Data and Network Access by The Employee for a Given Period After They Are Gone.
An employee who is asked to leave due to poor performance or corporate downsizing and has decided to access or retrieve data, will usually do it within hours or a few days of departing the company. Put a formal plan in place to monitor attempts by them to access your network, files, emails or other data after they have gone. You may choose to do this for a week, two weeks, one month or longer.
Employees who have chosen to exit on their own know that they are on their way out long before their supervisor or the HR manager is aware. This enables the employee to easily take the information they want without raising suspicions. So, it is also important to proactively monitor employee activities, the information they have access to and what they are doing with it.
8. Proactively Monitoring Employee Activities.
You can employ monitoring solutions which monitor the individual actions of employees and find inconsistencies in behavior over time. For example, activities might include following the websites that employees visit, storing social media posts and instant message conversations, developing a list of files they downloaded or the forwarding of large numbers of emails to personal accounts.
If you decide to proactively monitor all employees, this activity should be included in your corporate employee handbook and you should educate them on why and how it will be used. Employees do not want to feel that they are not trusted and that someone is watching their every move, so it is important to discuss how this activity will also protect them, the company and clients from cyber-attacks, malware, or unsafe actions by unwitting employees.
9. Do Not Give Employees Administrator Access.
It is probably not uncommon for you or a member of your IT team to give administrator access to employees so that they can customize applications and operating systems or even fix problems on their computer when you cannot get to the employee’s office in person. Have you ever spoken with an employee over the phone and walked them through how to gain administrator access to their desktop or laptop to fix a problem they are having or complete a required upgrade? Once the upgrade is made or problem is fixed, administrator access may not be removed, enabling the employee to install applications or save files to cloud storage devices which have not been approved.
Whether an employee is asked to leave or leaves on their own, data can be lost in a number of different ways. It is critical that you put proactive policies in place to protect your company’s electronic assets throughout the life of your employees’ tenure at the company. Mitigating data loss from the beginning will minimize risk and help ensure that you are not scrambling at the end as your employee walks out the door.