Under ideal circumstances, when employees leave your company, it is on good terms and they are just going off to pursue other opportunities. There is typically a two-week notice period where the employee and company wrap up loose ends, where the employee provides summaries on all their projects, and distributes his or her responsibilities amongst colleagues. This ideal scenario isn’t even all that rare. The vast majority of employees who leave their jobs each year are honest and good corporate citizens. They are moving to a new job, but don’t want to burn any bridges with their previous employer.
However, there are also situations where employment ends abruptly under troubling circumstances. Sometimes an employee will be fired abruptly or after multiple warnings. Sometimes an employee will quit without notice and will not return to the office. In a few cases, disgruntled employees may attempt to take valuable data with them, or log back into a system using a shared password to vandalize or delete data after they are gone.
In many organizations, employees at all levels have access to valuable company data, some of which is very sensitive. Protecting company data from former employees is both more difficult and more crucial now that so many employees can access data from personal devices like tablets and smartphones. BYOD (Bring Your Own Device) introduces many security challenges that companies have to face. Protecting sensitive data from disgruntled former employees is even more difficult. Here are a few ideas to help:
Have a procedure in place
There should be an accurate record of all the applications, systems, and resources each employee has access to so that the IT department can quickly and completely shut down an employee’s access. When an employee either resigns or is fired the process of decommissioning their login credentials and removing their access to company resources and sensitive data should begin immediately (or as soon as the employee’s manager says it’s okay to remove their access). In most cases, even though the employee has given notice, they are still wrapping up projects and need to be able to access the system and their projects.
Require individual identity management
Employees should access all systems and resources though uniquely identifying credentials. This doesn’t require a single sign-on system, which comes with risks of its own. However, employees should be logging into systems through their active directory on their workstation or through unique username and passwords. Having a shared password for a system leave it vulnerable to ex-employees logging into the system and making changes. It would be highly detrimental for an ex-employee to login to a system un-detected and either delete all the data or encrypt it without sharing the decryption keys. They could in theory hold the data hostage. Having shared passwords also makes it difficult to track down who made changes such as deleting or moving data.
Remote wipe and scrub corporate data
In organizations practicing BYOD, it will often be impossible for IT to perform a remote wipe of all the data stored on the device. That is why it is so important to rely more heavily on authentication and encryption for protecting sensitive data. If the data cannot be remotely deleted, at least it can be rendered inaccessible without the proper encryption keys or active user account credentials. In addition to keeping control over the data stored on mobile devices, organizations also have to be concerned with data stored in personal cloud file syncing services like Dropbox, Box, and Skydrive. Programs like these make it very easy to store an individual’s data across multiple devices and share it with friends and colleagues, but it also makes it easy for employees to retain company data after their employment ends. Employers should take steps to prevent employees from storing data in cloud syncing services where they cannot maintain control over access.