A recent survey of employees reported that 45% acknowledged that they continued to have access to sensitive or very sensitive confidential information after leaving the company. Up to 49% claimed they had accessed some service after leaving. How can you protect your data from walking out the door along with your former employee?
It’s best to start protecting your corporate assets at the very beginning: data protection should start upon employee hire and continue to the end of employment. Proper data protection should include robust policies, established termination procedures, and ongoing monitoring to ensure data security during an employee’s tenure.
Here are 11 ways to prevent data disappearance in your organization.
- Begin at the beginning. Put protections in place from the time an employee joins the organization. Update inventory management data to reflect the employee’s assigned assets. Ensure the employee signs non-disclosure and IP agreements (to prove an employee was informed in the event of data theft and a resulting legal procedure) and a security policy acknowledgement. Establish and maintain a record of account access granted. Include the employee’s computer in your activity monitoring program.
- Put in place processes to ensure continuity. Potentially, the greatest loss to the company when an employee leaves is the knowledge they gained while in your employment, and that’s still locked up inside their brain. Ensure there are processes and collaboration tools to capture corporate knowledge and support a smooth hand-off to another employee.
- Develop a termination procedure. Document who is responsible for taking steps to ensure data security when an employee is given notice or resigns. The procedure should cover physical access to the building, access to all hardware, email archiving and ongoing email account monitoring, account access termination, and similar checkpoints.
- Identify high-risk departures. Be aware of those employees who may represent a higher risk factor, such as terminated employees, contractors, outsourced call or service center employees, technically sophisticated users, and employees with privileged access, such as system administrators. For these profiles, deploy more focused policies and procedures, and be watchful for anomalous activities.
- Control your storage. Consider providing corporate-controlled cloud storage options to discourage employees from using Dropbox or other personal solutions. This will enable employees to do their work and keep IT in control of corporate data.
- Control access to cloud apps. Make it more difficult for employees to maintain rogue access to applications by implementing an IT-managed single sign-on (SSO) portal that will enable access to all cloud applications. One word of caution when disabling access: resist the temptation to purge everything connected with the ex-user as once an account is deleted, the data residing in it may not be retrievable. For example, if the departing employee was the primary user for a service such as Google Analytics, the account must be transferred to avoid losing access to the corporate data.
- Conduct an audit. Document all data to which the employee has access (both on-premise software and cloud software) to ensure you are disabling access to all points of entry.
- Ask for the employee’s support. Employers should do something that most of them are not doing: ask departing employees for the login credentials to all of the repositories that might contain corporate data. For protection in the near-term and going forward, the organization should reaffirm all non-disclosure and IP agreements.
- Remember the hard assets. Take care of the physical pieces – badges, all computer equipment (including external drives), and similar hard assets. Remember to change codes to restricted rooms onsite.
- Don’t forget BYOD. Take advantage of available software solutions that allow IT to remove corporate data (but not personal data) from an employee’s device.
- Keep listening. Use insider threat detection software to detect anomalies, monitor specific applications and websites, and enable IT forensics.