The coronavirus pandemic introduced a reality few employers expected. Making all or most office operations remote while simultaneously reducing staff due to the sudden economic downturn brought unfamiliar challenges. In particular, greater cybersecurity risks required urgent attention as more employees worked from home and those let go potentially retained access to their former employer’s networks and data.
A full five years before COVID-19 hit, Biscom estimated that 87 percent of employees who leave a job take organization data when exiting. Whether they do so with malicious intent or simply because they believe the data belongs to them, exiting employees can cause serious damage to their former employer.
Countering this threat by developing and implementing strong policies and procedures for securing data becomes essential when so many organizations are letting so many remote workers go. Here are six steps to take.
Disable the Employee’s Access to Data
At the end of an employee’s last day, have the IT department disable the employee’s access to all organization systems such as email, shared software, collaboration apps and cloud or third-party platforms. You can use the exit interview to learn the employee’s passwords to the systems and encrypted files, as well as to determine where the individual may be storing data and whether personal devices need to be wiped of organization data.
Remember to ask about programs that are not organization-approved. Employees may find and use various third-party solutions for business tasks.
Also be sure to disable the employee’s physical access to organization property. Ask for the return of keys, parking passes and key fobs. If employees use personalized access codes, disable the one used by the departing employee.
Last, ensure all organization-owned equipment is returned or mailed back on the employee’s last day, including laptops, smartphones, hard drives and thumb drives. Ask the employee to remove all their personal data from agency devices prior to returning them and have them sign an agreement stating that any personal data left on a device belongs to the organization and can be deleted at any time. Although employees in the United States generally do not have privacy rights to personal data on work devices, obtaining the signed agreement avoids unnecessary headaches.
Determine the Exiting Employee’s Legal Hold Status
Organizations are legally required to preserve data that may be needed for litigation. Be sure to verify whether the employee’s data might be relevant to an investigative or regulatory matter before deleting it or reissuing a device.
It is wise to establish a policy that requires all devices be held and remain untouched for 90 days before wiping them. If an issue were to arise, it would most likely occur within that timeframe. It is also wise to preserve a device beyond the 90-day window if you suspect theft. Not following these practices could open the organization to charges of spoliation of evidence and massive fines.
Preserve All the Data
If you suspect the employee’s data may be needed for future litigation, have the IT department make a forensically sound, bit-for-bit copy of the device’s entire storage. Such a copy is also known as an “image.”
The imaging process duplicates files in their entirety (including metadata), deleted files, file history, USB device use and more. This paints a clearer picture of the employee’s activity on the device and can be necessary to prove innocence or guilt in a legal matter. If your organization deals with sensitive information, you may choose to image each of a departing employee’s devices whether or not you suspect theft.
Complete Data Remediation
After a device has been imaged, you can proceed with data remediation, which is the process of securely removing and destroying data from the device itself. Keep in mind that you will also need to delete organization data on the employee’s personal devices, which you should have learned about during the exit interview.
Look for Suspicious Behavior
Using the complete copy of the data on a former employee’s device, search for unusual activity that may indicate they stole data. Some questionable actions to look for include
- The transfer or deletion of large amounts of data through a USB drive or the cloud;
- An increase in data usage beginning a few days before the employee’s departure;
- The transfer of data during unusual hours such as nights, weekends and holidays;
- Recent installs or removals of software;
- Access of organization systems that do not pertain to the employee’s job description or which violate organization policies; and
- Personal accounts being logged into from an organization’s device.
Hire a Forensic Expert
Immediately bring in a forensic expert when suspicious activity is discovered. The professional can remotely analyze various activities, such as the former employee’s access of the organization’s network and files, email and USB use, browsing history and changes to metadata. The investigator can also try to recover deleted or compromised files and review system or log files for additional suspicious activity. It is important to work with a licensed professional who can maintain the integrity of the data so that it will be admissible in court if legal action is taken.
While internal data theft is a serious concern, one analysis revealed that nearly three-quarters of the employees who take their organization’s data do so while thinking the data is rightfully theirs. Often, the best practice is to directly confront an individual who has retained data after leaving your organization. Asking for the data to be returned can suffice to get it back without any further issues.
Still, there will be some people who intend to cause harm to the organization. This is why it is wise to follow the steps outlined above and to be prepared for litigation if the situation demands.
01 July 2020
Category
HR News Article
