Protecting your business assets when an employee leaves

29 Mar
But please don't take our data with you.

By: Markus Witcomb

IT Security / IT Support / Outsourcing

Comments: No Comments.

When someone leaves your company, the HR department (or your “HR” function) is quick to grab the employee’s laptop. But what about the data on other equipment? How can you know what’s on their mobile devices? Does anyone know to which websites and cloud-based software the employee has access?

Here’s how IT (working with HR) can help ensure the company’s data doesn’t walk out the front door when they do!

In an idyllic world, people leave your company only under friendly circumstances, because the business treats every employee with respect. The hiring process is so streamlined that few bad hires are made, so it’s rare for anybody to need to clean out their desks with an HR person looming over him, keeping an eye on what goes out the door. Reality is that this isn’t the case!

People are laid off, employees become disgruntled and search for a new position, and others are invited to Spend More Time With Their Families. It’s nice to think we can trust employees and hire great people, but the reality is that a single bad hire can wreak untold chaos, destruction, and financial loss – particularly when the employee has access to corporate data or systems after they have left.

While the off-boarding process is (typically) managed by HR, IT needs to be brought in to make sure that the now-ex employee is not a walking-and-talking security breach. That’s why HR has to work with IT to turn off access to every system to which the employee had access too.

This is assuming the IT bods can even know what those systems are. A recent survey showed that more than 18% of respondents still can access a previous employers’ systems using their old credentials. And, a surprising percentage still have access into two or more ex-employers’ systems. Shocking!!

How can businesses minimise this risk?

Let’s start with the easy stuff. Most businesses rely on standard ways to control employee access, such as a single sign-on system on which the user’s password is deactivated, often managed through Active Directory or something similar.

The best methods are a solid access control policy in addition to centralised authentication.

Centralised authentication make most things easy to shut off. Essentially, all access gets a “token”, which creates an audit trail. Upon termination, that system can be audited. This helps cover Software as a Service products easily.

HR knows about work-related sites to which most employees have access, such as payroll systems, accounts, accounting software, and travel services. Whether HR pulls the access for those logins or IT does so, it doesn’t really matter – as long as someone takes care of it, and a process is in place for turning things off. Too often, it’s a few days before anybody tells IT that the employee is gone – which is exactly the time during which an individual is most motivated to grab anything that might be useful.

What about external sites to which employees have access: website analytics, blogs, stock photo sites?

Social media is a huge security gap in terms of access to data and also the ability to post and publish by ex-employees. De-commissioning employees is a very manual process and unless you enforce it no one is going to do it. There are plenty of tales of woe from companies who learned this the hard way.

Then there are the BYOD devices on which employees collect data? How many of them does the average sysadmin even know about, much less know how to kill its access? Too few, really.

Some of these have technical solutions – and QAIST provides some that are valuable for this purpose. The ability to wipe the corporate data off a lost or stolen laptop or iPad also lets IT wipe the corporate data (but not the personal data) off the employee’s BYOD devices.

Another advantage: Because the data was backed up from the employee’s laptop, it’s accessible to anyone in the company who needs it. For example, the sales forecast figures that the employee had on their local drive are available because you were automatically backing up the system.

Shutting the door after the horse has bolted…

The issue of how much you can and should do to protect a newly-ex employee’s access depends on the company’s perception of the value of its data. That also starts with the day the employee is hired – not the day they leave.

Many of these policies support the company goal of policing data access, but sometimes at the cost of employee convenience (which encourages dangerous workarounds, since people do want to get their work done), and the unstated message that employees aren’t trustworthy. That’s a balance that each business must find for itself.

How far should you go?

Some businesses routinely put glue in the USB ports of workstation computers to minimize the ease of flash drive transfers (this is extreme and totally unnecessary!). They block access to outside sites that employees might use for malicious reasons, such as file sharing sites to which a planning-to-leave employee could copy the customer database.

Businesses that are serious about protecting data – and not just when employees leave – establish access rights via logons, with a password policy that requires strong passwords that change every N days.

All data is encrypted at rest and in motion, and automatically backed up and replicated to central servers.

Any devices connected to the PC are automatically encrypted and won’t decrypt on non-company PCs.

In these “we’re serious about it” scenarios, traffic to external sites is logged, so as to catch anyone sending documents to themselves via webmail or cloud storage and to establish an audit trail in the event intellectual property or other confidential documents are stolen. Ideally such sites are blocked and permission is granted on an individual basis.

Company policy may dictate that all logins to cloud services are issued by IT and logged in a database. Mobile access usually has Mobile Device Management (MDM) installed to track device usage.

In larger organizations, it’s wise to put in place a process that audits all of these things and keeps them clean on a regular basis. Someone should have it as a job duty to go through Active Directory and eliminate or disable unnecessary accounts (and ideally make it an automated process). Regular assessments need to be made to ensure that no back-door accounts into organization resources can be found (which can uncover things like unauthorized accounts).

The specifics vary, but the main idea is that user access is looked at with an eye for thoroughness and prevention, not hasty reaction.

However, if you make the process of giving people access to things too cumbersome and untrusting, then you’re just daring them to screw you over when they leave. So any processes you put in place to track this sort of thing should be supportive to the employees rather than a bureaucratic nightmare.

How much did you tell the employee when they started with you?

But all that is secondary to employee awareness and education. If employees’ website usage is tracked, they should be reminded of the surveillance regularly. On the day someone is hired, the employee should sign an employment agreement which includes a technology policy to which they must adhere.

In fact, the biggest loophole in this situation may be an employer being unable to prove that an employee was ever told, during or at the termination of employment, that there was a duty of care associated with company data; that failure to exercise reasonable care during employment was a termination offense; and that abuse of access following termination of employment was a breach of contract. So HR needs to brief the employees: Hand them the piece of paper that says what they’ve been told, and get their signature.

Ultimately, this is not a technology problem as much as a people issue: An ex-employee with good intentions isn’t going to disseminate the information no matter what. However, an ex-employee with bad intentions probably can create havoc no matter what you try to do.

It is, however, IT job to minimize the damage that individual can do, by locking all the doors possible.

Leave a Reply