Employees who leave their employers, regardless of the reason for their departure, often take with them sensitive and confidential information, such as intellectual property or trade secrets, that belongs solely to their employer.
According to a recently published white paper by Osterman Research, it examines the problem in detail and provides solutions for employers to mitigate the risks.
A survey published by Biscom in late 2015 found that 87 percent of employees, who leave a job, take away data they have created during their tenure, and 28 percent take data that others had created. Among the majority who took company data with them, 88 percent took corporate presentations and/or strategy documents, 31 percent took customer lists, and 25 percent took intellectual property.
The theft of this information can damage a company in a variety of ways, including putting them at risk of a regulatory violation, forcing them to take legal action against former employees, harming their competitive position, and negatively impacting their revenue.
To reduce the risk of employees taking information with them when they leave, employers should establish detailed and thorough policies and procedures focused on ensuring visibility into employee practices, limiting employee access to data, requiring encryption of sensitive data, managing devices properly, ensuring that data is backed up and archived properly, requiring the use of enterprise apps (since these apps and any associated offline content can be remotely wiped, even on personally managed devices), and ensuring that IT has access to all corporate data to which it should have access (some confidential data, such as HR data, should not be available to IT in all cases.)
To support these policies and procedures, organisations should evaluate and deploy various technology solutions. Technologies that should be considered, but not all of which need to be deployed, include content archiving, backup and recovery, file sharing and collaboration, encryption, mobile device management, employee activity monitoring, data loss prevention, logging and reporting, virtual desktops and other solutions will minimise the possibility of employees misappropriating corporate data upon their departure.
Why do employees take away data?
Employees, who take away corporate data when their employment term has ended, do it for couple of reasons as listed below:
In an era of Bring Your Own (BYO) devices, cloud applications, cloud storage, mobile apps and other elements of “shadow IT”, departing employees can often leave with substantial amounts of corporate data and not even realise or remember that they still possess it. Moreover, because a large and growing proportion of employees work at least some of the time from home, if only after normal work hours, they often maintain a rich source of corporate data on their personal desktop and laptop computers, USB sticks, personally managed file sync and share tools like Dropbox, and in other locations.
Some employees will knowingly leave with corporate data upon their termination because they don’t feel it’s wrong to take it with them, or that it will not harm the company. For example, an employee who has worked to foster key client relationships, created valuable intellectual property, or is leaving a financially troubled company that may soon be going out of business may feel justified in taking corporate data with them, often because they feel the data belongs to them.
The problem is exacerbated by corporate data protection policies that are not enforced or by the lack of security or monitoring technologies designed to protect against data exfiltration.
Some employees will take corporate data with them upon their departure with malicious intent. Some employees might be angry with company management because they were laid off or otherwise terminated involuntarily, they might have been passed over for a promotion, they may have a personal dispute with their manager, or they might want to gain an advantage in their new job by having sensitive or confidential information from their former employer.
While employees who take and/or destroy data maliciously may represent only a small proportion of total data loss in an organisation, the damage they do can be significant.
How can organisations protect sensitive company data?
To minimise or eliminate the potential of employees to exfiltrate data from their employer when they leave a company, there are a number of things that an employer can do to proactively address the problem:
It is essential that organisations maintain complete, ongoing visibility of sensitive corporate data across all of their endpoints, cloud applications and any other repositories where this data might be stored. An important best practice to accomplish this is the deployment of a content archiving system that will enable the capture, indexing and immutability of content based on corporate policy.
Email archiving is the logical and best first place to start the process of content archiving, however other data types such as files, social media content, text messages, web pages and other content should be considered for archiving as well.
Companies should establish policies to limit employee access to sensitive and confidential data by role, function, need to know, etc. While employees must be given access to the content they need to get their jobs done, too much access to all company information can pose data security risks.
While IT needs to be in control of corporate data, it should not have unfettered access to all information, such as sensitive HR files on employees, compensation, structural changes, etc.
Sensitive and confidential data should be encrypted in transit, at rest and in use, regardless of its location. While manual encryption should be implemented so that employees can encrypt sensitive content in email. We also recommend use of policy-based encryption that will automatically scan content based on policy and then encrypt it appropriately. Encryption alone can prevent much of the data loss that occurs when employees leave a company.
Sensitive and confidential information should be protected with good authentication to prevent its access by unauthorised parties. For example, relatively benign sensitive data might require just a username and password for access, while more sensitive or confidential information might require two-factor authentication.
Because of the significant amount of data stored on Smartphone and laptops, it is vital that every mobile device can be remotely wiped so that former employees no longer have access to the content stored on these devices.
This is particularly challenging in Bring Your Own Device (BYOD) environments, since corporate data may be stored on personally owned devices using non-approved approved applications, and IT often will not have the ability to remotely wipe these devices, allowing ex-employees to retain access to corporate data. It is important to note that enterprise-approved apps and any associated offline content can be remotely wiped, even if the device is personally owned.
Every organization needs an effective backup policy to ensure that all corporate data is backed up, preferably to a central or easily accessible location. However, this is becoming increasingly difficult because of the use of personally managed file sync and share tools like Dropbox, as well as other cloud repositories.
While IT has the ability to properly back up all of the systems to which it has access, a significant proportion of corporate content, when stored in personally managed repositories, is not under IT’s control.
Employment contracts and agreements should include clear language about the provisions for protecting sensitive and confidential data while employees are working for a company, as well as when they leave. While these provisions may be disputed by employees after they leave a company, or may be disregarded altogether, employers at least have some basis on which to defend a position if they decide to pursue non-compliant ex-employees.
Organizations should adopt policies that will inform employees of management’s intent to monitor and audit employee behaviour when using any corporate resource, such as a computer, mobile device or network and when using any corporate data resource. The goal of monitoring and auditing is to enable insight into how employees are accessing data and what they are accessing, as well as to deter potential misbehaviour.
It’s rarely a good idea to allow employees to have administrative rights for their own, company-supplied computers, since this permits them to install applications that may permit the storage of corporate data in locations outside of IT control.
Moreover, allowing employees to install applications, mobile apps and the likes may increase the likelihood that employees will introduce malware, ransomware or other threats into the corporate network.
It’s important to understand that many cloud productivity tools, such as Microsoft OneDrive and Google Drive, permit employees wide latitude over the data they store, edit and delete in these repositories without any oversight from IT.
Managers need to be trained properly and on an ongoing basis to be aware of the various issues involved when employees leave and how to handle exiting employees professionally to prevent both inadvertent and malicious loss of data. This training must be a regular practice so that managers can remain current on changes in employment law and on best practices for dealing with employees.
Image credit: The Jakarta Post