When you think about data theft, you often think the perpetrator will be a distant cybercriminal. However, one of the greatest threats to your enterprise data may be someone that was once part of your organization.
The reasons an employee takes confidential company information vary from being benign and misguided to intentional for the purposes of personal gain. Regardless of the reason, employee theft is damaging for a company in multiple ways, such as violating national and international regulations, harming its competitive position and affecting the bottom line. And it could force the company to take legal action against former employees.
Data protection should be an ongoing effort, not just a priority when employees leave. To reduce the risk of employees taking information with them when they leave, you will need a combination of frequently updated policies and procedures, as well as technology solutions. Here are a few best practices for ensuring that data doesn’t leave the office with your departing employees.
Establish clear employee policies on handling company data and information
Often companies don’t have policies in place that prevent employees from taking company data with them. To help prevent this create comprehensive policies that are clear and thorough, outlining that all information, documents and data created by the employee, or any other employee, are considered company property.
Encrypt data at all stages and require authentication
Whether it’s in-transit, at-rest or in-use, sensitive and confidential data should always be encrypted, regardless of its location. Authentication can further protect data by preventing access to unauthorized parties. This alone can prevent much of the data loss that occurs when an employee leaves a company.
Promptly disable employee access
Employees who leave should have their passwords revoked immediately upon their departure – preferably on their last day of employment. Taking a longer time to secure this step could become a costly mistake if the employee leaves only to access the company’s information to destroy or steal from a remote site.
Limit employee access to data and develop policies on proper use of platforms
It’s essential for companies to have acceptable use policies regarding proper use of corporate email, company-owned and personal devices, cloud applications and other platforms where corporate data may be stored. Additionally, companies can set parameters for who has access to what data on a need-to-know basis, ensuring IT has greater control over sensitive information.
Make privacy a priority; demonstrate this by crafting privacy documents for each employee to sign. Articulate that there is a no-tolerance policy to infringement of this agreement and stick to your guns.
Freeze usage of employee’s computer
When an employee resigns, it is not always possible to know immediately whether the employee presents an unfair competitive threat. It may be a few weeks before an employer learns that the former employee engaged in misconduct. Computers previously used by the former employee can be a valuable tool when conducting an after-the-fact investigation, but key evidence can be lost (e.g., overwritten or deleted) if the employer has continued to use the former employee’s computer.
For this reason, a former employee’s computer should be removed from active use if there is any suspicion that a former employee poses a competitive threat. If this is not feasible, making a forensic image of the computer presents another alternative.
Employee turnover is a fact of life, but data loss due to departing employees should not be. Most businesses are not adequately prepared to deal with repercussions of employee data theft, or have the capabilities to mitigate these risks before they occur. Blending strong corporate policies focused on the proper handling of sensitive information with the right technology tools that best meet the organization’s needs can minimize, if not eliminate, the threat of employee data theft.