←All Posts Posted on July 7, 2017 By Andre Ross
Breaking up is, as the song goes, hard to do and the advent of information technology has made it even harder for businesses. When you part company with an employee, whether it’s on friendly terms or not, how do you know they’re not going to be holding onto some of your data? It’s all too easy for someone to transfer files to a flash drive or a cloud-based storage service, or simply attach them to an email and your sensitive information could be walking out of the door without your knowledge.
But despite the fact that the risks have been there for many years, some companies still don’t have a proper digital separation policy to protect them from data exfiltration. Even if they do have a policy in place, often it only extends to seizing company assets like laptops and mobile phones, not taking account of newer trends such as BYOD devices, corporate social media accounts or access to cloud services.
Parting company with employees needs a plan, but it’s important to recognise that it isn’t a problem just for the IT department. Other parts of the business need to be involved too, drawing up a separation policy requires the involvement of HR and legal departments if you’re to stop proprietary information from being taken out of the company.
Having a plan avoids you being put in a position where you need to react quickly to circumstances in order to avoid a data breach, as this is when you’re most likely to make mistakes. By having procedures in place you allow disengagement to be accomplished quickly and smoothly and with minimal risk of a leak of sensitive information. So, what do you need to consider?
A few years ago the preferred method of removing company data would have been via a flash drive or MP3 player, or even by burning data to a CD. Today it’s more likely to be using a cloud storage server or a personal email account on a service like Gmail or Outlook.
But there’s another way, and that’s to simply access the system remotely using old or stolen (shoulder surfed) credentials. As businesses rely more and more on the cloud and remote working they become more vulnerable to this kind of unauthorised access.
There are many reasons why employees might want to take data with them. Most commonly it’s to be able to gain an advantage in a new job. This is a particular problem for staff in customer facing roles such as sales. Short of carrying out a full data breach investigation it can be hard to prove that a customer has been poached using stolen information.
When an employee leaves, especially if they leave under a cloud, it’s therefore important to act fast. Removing them from the premises as soon as possible and revoking their access to systems quickly, limits the opportunity to copy or otherwise remove sensitive data.
So, what does a separation plan need to include? As we said above it needs to involve input from a number of different parts of the business.
For the legal department it’s important that it’s made clear to staff, in their contracts, at induction and termination, that they have a duty to keep the company’s data confidential. Even when you part with staff on good terms you need to ensure that your data is protected. That may involve a period of non-competition or ‘gardening leave’ but you should ensure that you pay for this period to avoid unfairly penalising the employee.
The HR department needs to ensure that access to physical premises is cancelled as soon as possible. This includes the return of any keys or tokens and notifying reception and security staff that a person is no longer employed. Final salary payments can be withheld until access tokens and any company IT equipment has been returned and checked.
IT departments will usually operate some form of access control technology, such as Active Directory single sign-on. This makes it easy to terminate access to company resources, however, in the modern world there are things that it’s easy to miss. You need to make sure you revoke access to online resources that are external to the company’s own systems. These might include things such as collaboration tools, company blogs, social media, third-party software resources or stock photo sites.
In the case of staff with administrator access to systems you need to revoke not just individual passwords, but also immediately change any system passwords that might allow higher level access. It may also be useful to carry out a computer forensic examination of the employee’s machine to determine what emails have been sent, files accessed, etc in the run up to their leaving.
Again, revoking physical access to the likes of server rooms needs to be carried out in a timely manner, making sure any keys, swipe cards or other means of access are returned. Doors protected by keypad systems should have their codes changed.
The use of cloud storage and sharing services is a particular problem and deserves special treatment. Changing passwords is of course a first step, but sharing needs to be addressed too. Files and folders shared with another user in services like Dropbox or OneDrive will still be available to that user even if the account password is changed.
This affects small businesses just as much as large ones, and isn’t a problem just for enterprises. It can affect family law situations too, as in divorce cases where folders are shared between both partners’ PCs. Access to shared folders needs to be specifically revoked.
There is a risk from shadow IT, where an employee has been using their own cloud account on a work PC and this may require computer forensic investigation to untangle.
Businesses and employees have been parting company for hundreds of years, but dealing with data in these situations is a relatively new phenomenon. That said, it isn’t really all that different a problem from staff photocopying sensitive documents before leaving.
The key thing for businesses is to recognise the issue and put in place measures to ensure they can deal with digital separation quickly, smoothly and with nothing overlooked. Failure to do this could prove costly both in financial terms and to the reputation of the business.