Preventing a Crisis: 9 Ways to Protect Corporate Data When an Employee Leaves
1. Eliminate Access to the Employee’s MailboxYou would think that this would be completed even before the employee has left the HR manager’s office, but many companies do not block access to email until hours or days after an employee has gone. Especially if the employee has chosen to leave the company on their own. If an employee is leaving voluntarily, they have most likely given their 2-week notice. As a member of the IT team, make sure that you are aware of this. Although the employee will still need access to their email and other files during that time, you can monitor their actions for any activities that are out of the ordinary. This might include forwarding large quantities of emails from their work mailbox to a personal email account or printing a large number of attached files. If an employee is being asked to leave due to poor performance or corporate downsizing, be sure that your human resources department coordinates with you to confirm when the employee will be told that they no longer have their job. Eliminating access to their email (and other accounts) while they are meeting with their department head or the HR manager, will ensure that they are unable to access any last-minute files or data on their way out the door. Whether an employee chooses to leave on their own or is asked to leave, a best practice is to make their email account available to their manager and forward all new incoming emails to that person as well. This will ensure that business continues uninterrupted and the manager can determine if the employee was using their work email for other activities.
2. Use Single Sign-On to Disable Access to Multiple Applications at OnceThe other component of IT management that is as critical as removing access to an employee’s mailbox is the use of a single sign-on system administered through Active Directory or a similar tool. This single sign-on is beneficial for an employee because they can access all of the applications and resources they need to do their job by only signing in once. On the other hand, it is also beneficial for you because you can deactivate a former employee in one single action and the access to all of their applications and other resources are immediately cut off.
3. Backup and Archive All DataWhile many companies already have company-wide data backup and archiving solutions in place – especially for email, they do not take into consideration the possibility that individuals or teams of employees might have storage solutions that are not approved by or unknown to the IT department. A marketing department, for example, creates, stores and shares extremely large files to develop trade show graphics, high resolution printed collateral and other marketing materials. To enable the easy storage and transfer of these files between employees and outside vendors, marketing teams often use cloud storage tools like Dropbox which may be unknown to you and is never backed up on the corporate network. An archiving solution takes data protection one step further with the ability to capture company data, store it indefinitely and protect it from employees attempting to change, steal, or delete content. However, remember that an employee who has been planning to gain access to company data for some time and has set up a separate, personal file syncing solution will be able to modify and delete data outside of the archive.
4. Determine If Data Access Can Be Limited to Individual Departments or PositionsStrategies to protect a company’s electronic data should also be proactive and implemented company-wide with the development of information governance policies and procedures. Work with your executive management team to implement a set of IT policies that are given to every new employee. Consider the possibility of limiting access to on-premise and cloud applications, files, and networks to the individuals or departments who are required to work with them on a regular basis. For example, the accounting team does not need access to the company’s future go-to-market plans. No one outside of human resources should have unlimited access to all employee salaries and benefits data. The engineering team does not need access to detailed customer data which can be found in the company’s CRM system or marketing automation tools.
5. Develop a List of Any External Cloud Applications or Websites an Employee Might Be Able to AccessIt is easy to develop a list of websites, applications, or other resources that are managed internally or endorsed by your company for employee use. These may include your company’s official corporate website and social media channels including LinkedIn, Facebook and Twitter. But, you may be unaware of all of the other tools used by a specific individual as part of their daily job requirements. A marketing specialist may have access to a separate Google Analytics account to report on the company’s website statistics. They may use a cloud-based graphic design tool or have set up online accounts for upcoming trade shows for which the company will participate. Speak with the employee’s manager who will be much more familiar with the external tools used by their team. Create a master list of those tools for future reference. When the employee leaves, immediately transfer access to other team members and change all passwords.
6. Disable Company-Owned Mobile Devices and Wipe Personal Employee DevicesThe use of company-owned mobile devices as well as the BYOD (Bring Your Own Device) trend have caused considerable headaches for IT professionals. Whether a laptop or tablet is provided to an employee by your company or they use their own personal smartphone or laptop for work related activities, the use of Mobile Device Management (MDM) technology to access, manage and wipe those devices is essential.
- MDM for Company-Owned Devices: Any mobile device, whether it is a laptop, tablet or smartphone, which is provided to an employee when they start their job, is owned by the company. You have the right to wipe the device clean as soon as you are informed by HR that the employee will be leaving. The ability to do this remotely is critical since the device could be at a different office or the employee’s home. Since data back up and archiving solutions should already be in place, there should be no problem deleting the data on the device because it should be easily accessible elsewhere.
- MDM for Employee-Owned Devices: The use of employee-owned devices for work-related activities raises some legal and ethical concerns. On the one hand, you want employees to be productive and use the tools with which they feel most comfortable, but it is critical for you to control how business data is used, stored and shared on any personal device without interfering with private information or applications. And, do you even know how many employee-owned devices are being used company-wide? Employees are hesitant to let anyone within your organization search and gain access to their personal devices which may include things like private financial records, personal photos, health information or contact information for family and friends. Implementing an MDM solution that enables you to access and wipe only company data, but not personal data, is key. Employee education on how personal mobile devices will be managed by you and that you are looking out for their best interest is also a critical component.