HIT Think

Tips for protecting your data when losing an employee

Register now

Companies spend a lot of time talking about staff retention, when perhaps they should be equally concerned about data retention. Most employers would be surprised to learn that departing internal employees can pose a much bigger threat to their business’s data security than external hackers.

Alarmingly, 87 percent of employees who leave a job take with them data they created at that job, and 28 percent take data that others had created, according to a survey from Biscom. Eighty-eight percent take corporate presentations or strategy documents, 31 percent take customer lists and 25 percent take intellectual property. A survey by Osterman Research also found one in five ex-staffers uploads these sensitive and confidential files to an external cloud service specifically for the purpose of sharing them with others.

The former employees’ motivations range from simply wanting to keep a copy of their work to wanting to use the data destructively, or to gain a competitive or financial advantage. Earlier this year, for example, Tesla reported that an ex-employee stole gigabytes of data and shared some of it with various news outlets, causing Tesla to suffer losses in business and profits, as well as damage to its reputation.

The hard reality is that the majority of your departing employees will try to take company data with them, but there are proactive steps companies can take to ensure their data is safe after the staffers leave.

Know your data
You can’t protect what you don’t know you have. So, the first step is to perform a detailed inventory of your organization’s data and where it’s stored. This involves a thorough audit of the files within your company, which may include in-depth questionnaires for every employee or department. The end result should be a data “map” that details where all of your data is kept, who has access to which files, and when those files were created and modified.

Secure your data
Once you’ve completed an inventory of your company’s data, take a multi-layered approach to locking it down. This can be achieved by:

  • Revising employee contracts to include legally binding confidentiality clauses about sensitive and trade-secret data.
  • Restricting current employees’ access to vulnerable data so they can see only what’s needed to perform their defined duties.
  • Requiring two-factor authentication for sensitive files.
  • Using an encryption platform to increase file security. (The average cost of fully encrypting data may seem high at $235 per computer, but the average amount lost due to data exposure is $4,650 per device, according to the Ponemon Institute.)
  • Configuring laptops and mobile devices to ensure you have the ability to remotely wipe every device that may contain company data.
  • Introducing policies to frequently reinforce to employees that data belongs to the company and that their use of company equipment and files may be monitored.

Have a final-day checklist
When an employee resigns or is let go, company managers should take responsibility for always ticking off this checklist on the last day of employment:

  • Remind the employee of the agreement they signed in their employment contract regarding sensitive and confidential information.
  • Gauge the risk of a data leak by asking the employee about their future plans and employment.
  • Retrieve the staff member’s company-supplied devices, including computers, phones, external hard drives, backup discs and thumb drives.
  • Make forensic copies (see below) then clean up or completely wipe any personal devices that had access to company-related files.
  • Disable the employee’s access to all networks and systems, cloud and CRM platforms, and phones and voicemail.
  • Retrieve keys and tags for building and parking access, as well as any company credit cards.

4. Go forensic
In case you later suspect a former employee has stolen data, your company will benefit from having forensic copies of their devices so you can look for suspicious activity such as:

  • File transfers involving a large volume of confidential material being moved to another device or cloud account.
  • A significant increase in outbound emails.
  • Proprietary files residing locally (a downloaded customer list from your CRM, for example).
  • Unusual after-hours, weekend or holiday activity.
  • Software that was recently added or deleted, or upgraded or downgraded.

So, before reissuing the ex-staffer’s computer, tablet or phone to another employee, ensure that a forensically sound copy of the device’s hard drive has been made. Taking this step will significantly improve your company’s ability to prosecute any IP theft in the future, but it’s important that it be done only by licensed, certified personnel or by an external vendor. The process is called “imaging” because it makes a “bit-for-bit copy” of the entire device’s storage to minimize the risk of spoliation or unintentionally compromising the files.

Imaging goes far beyond what an ordinary IT backup can do. The process not only copies active files, but also deleted files and fragmented files, log files and other activity records, and it preserves unallocated space on the drive – all while maintaining metadata information.

A write-only hardware device called a write-blocker should be used to safely acquire information from the hard drive, and imaging should include hash-verification and logging of encrypted and password-protected files. The procedure should be completed on all of a departing employee’s devices and platforms including emails, application files, databases and cloud locations plus internet browsers, social media, messaging apps, games and more.

Depending on your needs, your forensic team may be able to retrieve deleted files, recover temporary files that were copied to another storage device and even expose hidden data. If you have serious concerns about an employee and want a snapshot of the organization at the time of their departure, you may also want to consider removing server backup tapes from rotation so they are not overwritten.

Confront data thieves
Regardless of a former employee’s motives for removing data from your business, if you confront them with evidence of the file-copying, many times they will simply delete or return the files to settle the matter without the need for further action. But if the situation escalates and requires litigation, you’ll want your forensic team to be affiliated with an eDiscovery company so they’ll be able to easily facilitate the entire process of collecting, analyzing and reviewing data to support your case.

Invest in cybersecurity
When you have the peace of mind from knowing that a departing employee hasn’t taken data with them, or the evidence to confront them if they have, you’ll be glad you invested in the data security and forensic measures described above. Remember, though, that your investment is only truly worthwhile if teamed with the appropriate staff training, policies and procedures.

It makes good sense to protect your organization’s data, and almost nine in 10 companies plan to increase cybersecurity spending this year, according to the 2018 Thales Data Security Report. Many of those businesses, however, will spend their money trying only to fight off external hackers, while failing to adequately protect themselves from the threats within. After all, who knows your company’s data better than its employees?

This story originally appeared in Information Management.
For reprint and licensing requests for this article, click here.