Businesses can expect 1 in 5 of their employees to turnover in an average year. You can be doing all you can to retain your staff, but are you also prioritizing data protection when people do leave?
In this article we discuss the 8 steps you should take protect your company data when employees leave you organization.
Understanding The IT Risks Of Employee Turnover
There are times when you have to let employees go, but in this age of the Great Resignation, you may have more people leaving voluntarily. They could be younger workers who see greener pastures elsewhere, or older workers ready to retire. Problems arise if employees take data with them or leave with continued access.
When people exit your company, whether on good terms or not, they represent a data risk. Due to bring-your-own-device policies, they could have company data on a laptop, tablet, or smartphone. They may also have user accounts set up for business software on those mobile devices.
Someone leaving involuntarily might also remove data from your company with ill intent. They could download data to a portable thumb drive (USB drive), or transfer information to the cloud for continued access after leaving. They might release data publicly, sell it to criminals, or take it to your competition.
What You Can Do to Offset The Risks Of Employee Turnover
#1 Begin At The Beginning
When onboarding new employees, educate them about data security. Ensure they understand the importance of strong passwords, encryption, and saving information securely. That means using a secure server or using your organization’s cloud storage rather than a local machine.
#2 Provide Ongoing Training
Keep employees current on treatment of confidential data, whether working for you or leaving. Cover what they can and cannot use to access corporate data, especially intellectual property or trade secrets.
If you have data compliance requirements, offer ongoing instruction about regulations.
#3 Develop a Security Culture
Onboarding and training prove your business prioritizes security. Also, set clear policies on visibility into employee practices, data encryption, and backup.
If you are going to allow people to use their own devices, use remote management to monitor that activity. When someone does leave your organization, immediately go in and secure or remove company data.
#4 Monitor Employee Behavior
Have a clear overall picture of who is accessing what and from where. Knowing where resources are, and which employees use them, can help you spot questionable behaviors. For example, people regularly download documents or send information to the cloud, but is someone suddenly doing that a lot more? That may mean they are preparing to leave and could be taking data with them.
In the news: Leica Geosystems sued an employee for downloading 190,000 files containing sensitive information on his last day at work.
#5 Limit Access To Data
Having a full map of your IT and employee roles can also help you to limit access. Taking a least-privileged access approach is the safest route. This allows someone to have access only to what they need to get their job done, nothing more. This can help cut the damage if someone inadvertently or intentionally takes data.
#6 Prioritize Data Protection
Put policies in place to force people to save important work to secure locations. Good data backup is critical. This can help you recover more quickly in the event of a malicious attack. It can also be useful if someone inadvertently deletes something important while trying to wipe devices clean for a new user.
#7 Have An Exit Policy
Your employment contracts need clear language about protecting sensitive and confidential data. Reiterate those now. If the employee has access to your social media, ensure they are no longer able to log in and post.
Also, establish a procedure for proper data removal from employee devices. Enlist IT to clear corporate technology and wipe employee personal devices.
In the news: Atlantic Marine Construction Company sued a former employee for installing Google Chrome Remote Desktop without authorization. The former SVP accessed the company’s network at least 16 times after he left to take confidential information!
#8 Communicate Internally
Make sure all relevant parties know about terminations immediately. If Sue leaves accounting but IT doesn’t know for a week, that could leave you exposed.
Know who needs to know about terminations to remove logins and close accounts. Expect prompt action to change passwords on shared accounts or blacklist terminated employees.
Step Up Your Security Posture With An MSP
Enlisting a managed service provider (MSP), like Digital Industry, is one more way to cut risks when employees move on. The MSP can establish content management solutions and set up virtual desktops. These experts can also help with cloud solutions, encryption, and access authentication. They can provide valuable guidance for isolating sensitive data.
An MSP can remove employee access, wipe devices, and disable accounts. If a disgruntled employee deletes or corrupts files, an MSP can do backup and recovery to get you back on track.