Let’s start with the premise that company data belongs to the company, not to the employee.
When an employee leaves a company, whether voluntarily or involuntarily, it is quite common for sensitive and confidential data to disappear.
While most employees will leave their jobs voluntarily, there are always involuntary terminations such as a reduction in workforce, or, a termination based upon poor performance reviews. The problem from a security standpoint is that it is very common for these folks to take sensitive and confidential data with them, perhaps accidentally, but perhaps intentionally.
Just stop for a moment to consider all of the data that your employees have access to: various types of intellectual property, price lists, customer and key account information, financial data, sensitive HR material, marketing plans, sales data, competitive intelligence, product and manufacturing plans, databases, software programs. All of which belong to the employer.
As a business owner, you may be asking yourself why people would take data with them.
Accidental. In a world filled with so many devices, cloud storage, mobile apps, and cloud applications, a departing employee may leave with a lot of corporate data and not even remember or realize that they still have it in their possession. Since so many employees work from home, corporate data will often end up on a personal laptop, desktop, USB stick, phone, or in a shared file.
Entitlement. An employee who has worked on key client relationships or perhaps is leaving an organization that is struggling financially, won’t always feel like the data belongs to the organization. In fact, these people may think that they’re justified in taking the data with them, and that it really belongs to them. This issue is most common and kept common by the mere fact that corporate data protection policies aren’t always strictly enforced, especially in smaller organizations.
Malicious Intent. Some employees may be angry because of a layoff or other involuntary termination. Others may not have gained a promotion they felt they deserved. Some may have a personal dispute with upper management or with their supervisor. Then there are those who feel they will have a lot to gain by bringing this information to their next employer. While this may be less common, it will likely prove to be the most destructive scenario.
What are the consequences of an employee leaving with proprietary information? Whether it’s by mistake, or maliciously, the worst case scenario is that it has the potential to put an organization out of business.
The best way to protect your organization is to be proactive by establishing and enforcing a set of best practices.
- Organizations must maintain complete, ongoing visibility into sensitive data wherever such data is stored.
- All sensitive and confidential data should be encrypted.
- Email should be archived.
- Require appropriate authentication for sensitive data. Creating policies that will alert or require approval will keep data safe.
- Limit and manage employee access by department, role, and function. Limit access only to content that is needed to get the job done. For example, an IT person does not need unlimited access to HR files, nor does a financial person necessarily need complete access to the CRM system.
- Ensure a proper backup and recovery policy. All data should be backed up to a central or accessible location. A recovery plan should be in place should an employee maliciously change or delete data.
- Develop a policy for the proper use of email and company-owned devices. Employees should be trained on these policies and asked to sign an acknowledgement form.
- Train management properly so that when an employee leaves, the exit process is handled professionally to prevent both inadvertent and malicious loss of data.
- Do not allow employees to install their own applications, mobile apps, etc. as this will open up the organization to malware and ransomware. The IT department should always handle the installation of applications.
- Develop a policy around BYOD (Bring Your Own Device) to ensure that personal devices are properly secured.
You can protect your organization to minimize, if not eliminate, the threat of sensitive and confidential information theft. Create corporate policies focused on appropriate employee management of data. Establish processes designed to control employee use of data. Deploy technology solutions that will keep corporate data safe.
If you’re ready to protect your organization, it pays to work with a Managed IT Services/Managed Cloud Services company, like Bryley Systems, to ensure that you’re taking the right steps. Bryley will recommend solutions to eliminate weak links in your security chain, and help you develop an organization-wide policy to help prevent data loss.
Please contact us at 978.562.6077 or by email at ITExperts@Bryley.com. We’re here to help.