As you bid goodbye to your employee and he or she leaves, how do you ensure that your company’s data doesn’t leave with him or her? In your current exit checklist, apart from recovering the company laptop or tablet, are there any other areas that you might have overlooked which might place your data at risks of a leakage until it’s too late?
According to an infographic put together by Go-Gulf on cyber crime statistics and trends, a staggering 59% of ex-employees admit to stealing company data when leaving the job. An even higher 67% admitted they would use their previous employer’s “confidential, sensitive or proprietary information” to leverage a new job. Companies who place unbridled trust on an ex-employee’s good nature do so at their own peril, even when the employee has left on good terms. It is therefore important that company personnel and IT administrators need to follow next steps and protocol to ensure that no data leaves with the employee.
Revoke online access to company systems
Most employees would have access credentials to the company network, with their own user ID and password. They may also have an official email ID, alongside other accounts and company software or systems. Access to such accounts need to be revoked the moment the employee is relieved. While it may seem an obvious thing to do, a 2014 survey by Lieberman Software reveals that 13% of respondents could still access previous employers’ systems using old credentials.
Revoke Physical Access
Apart from digital accounts, the IT administrator may also have to remove the ex-employee’s access credentials from biometric devices such as hand and optical scanners, and any access cards or other smart cards the employee was issued.
Retrieve Accounts outside the Network
Simply disabling employee access to company networks may not be enough. The departing employee may have set up, or have access to, an entire gamut of third-party resources, such as payroll systems, accounting software, GotoMeeting accounts, github, chat systems, travel services, website analytics, blogs, stock photo sites, and more. The employee may even have access to the company’s official social media pages. This is where coordination within team members such as the ex-employee’s supervisor, teammates, and HR is important to quickly identify such accounts and reclaim them. Decommissioning or reclaiming accounts can be a manual and time-consuming process, but is necessary to safeguard data access within the company.
Change Company-wide Passwords
It is a good idea to change passwords periodically, and there’s no better impetus to do so then when an employee leaves. While revoking an ex-employee’s personal access to emails and systems are most likely to prevent any re-entry back to the company’s platforms, systems that use shared IDs and passwords may still be a loophole to gain re-entry. Overlooking such shared platforms in which the ex-employee has the shared details will only increase the risk of unnecessary data leaks and make tracing back to how the data leak happened even more difficult.
Don’t be trigger-happy
While being prompt in disabling access is great, resist the temptation to be trigger-happy and purge everything connected with the ex-user as once an account is deleted, the data residing in it may not be retrievable. Be sure to check through the account at least once for any important data that needs to be saved or any accounts that needs to be transferred. For example, if the account’s user was the primary user for services such as Google Analytics or AdWords, the accounts need to be transferred out else the company may risk losing all access to the data. Retrieval may still be possible but it would involve quite a bit of a hassle, possibly even disrupting business operations. Thus, the IT administrator needs to review all accounts thoroughly, and reassign any administrative rights, tickets, or other responsibilities connected with the account, before deleting it.
Archive Employee’s Digital Footprint
It is good practice too, to always archive the employee’s digital footprint in the company, and keep any hard drives the employee had used. Such records could become invaluable for forensic analysis, especially to establish guilt in case of any wrongdoing, such as theft of intellectual property violations.
Even before an employee leaves the company, it’s always good to revisit exit checklists and review against them to see if any new systems or processes have been missed out. Whether it’s revoking access online or offline, being thorough in checking through will help increase the safeguarding of company data and prevent unnecessary data leaving the company, even as the employee does.