How to ensure that giving notice doesn’t mean losing data

Most IT teams invest resources to ensure data security when onboarding new employees. You probably have a checklist that covers network access and permissions, access to data repositories, security policy acknowledgement, and maybe even security awareness education. But how robust is your offboarding security checklist? If you’re just collecting a badge and disabling network and email access on the employee’s last day, you’re not doing enough to protect your data.

Glassdoor reported recently that 35% of hiring decision makers expect more employees to quit in 2018 compared to last year. Whether through malicious intent or negligence, when insiders leave, there’s a risk of data leaving with them. To ensure data security, you need to develop and implement a robust offboarding process.

Employee separation is a risky time

Obviously, when employees leave under difficult circumstances – layoff or termination – the risk is greatest. Disgruntled employees in these circumstances pose a risk of destroying or taking data upon leaving.

Employees may also be negligent or simply unaware of risky behavior. They may not remember the corporate data they uploaded to a personal cloud storage repository or downloaded to a USB stick sitting at home. Employees may also have forgotten the details of your security policies and/or non-disclosure agreements regarding permitted and non-permitted activities after leaving.

The rise of shadow IT is one reason why employee separation is a risky time for data security. The average organization today has over 1,400 cloud applications in use. The use of unapproved applications can leave data loose ‘in the wild’ for access by employees even after they leave. Do you know every cloud application being used by a departing employee?

How to protect your data at exit

First and foremost, if you don’t have a comprehensive offboarding checklist – or if you haven’t reviewed your team’s checklist lately – create or revisit the checklist. Does it properly address the current work environment reality of personal devices, cloud storage, and cloud applications? This is a great opportunity to get your security team together for a group brainstorm to ensure a robust checklist.

The next most important step is to partner with HR to establish or review the processes in place to manage offboarding. Timely notification from HR to IT is extremely important to ensure access to systems and data is revoked as necessary. And, for cases of involuntary departures like termination and layoff, this collaboration process should begin before the last day.

Once your IT team receives notification of an impending departure, several steps should occur:

• Your offboarding process owner should meet with the employee’s manager prior to the departure to identify applications used and risk level.
• Your team should increase vigilance upon notice. Most insiders steal data within a month of departure, so an employee giving notice may signal a need for increased IT vigilance. Privileged users may warrant increased scrutiny around departure time. Employee monitoring software can be useful in watching an employee’s activity before his/her departure date to detect anomalies, monitor specific applications and websites, and enable IT forensics.
• Ask for the employee’s support. A recent report found that 87% of surveyed employees admitted that when they left a company, they took with them data they created during the course of their employment. A further 28% of those employees admitted to taking data created by others upon departure. A frank and open discussion is a step more organizations should take when an employee gives notice. It’s typical for exit interviews to include HR and the employee’s manager: these interviews should also include an IT/security team representative. Ask the employee for login credentials for all repositories. Discuss the terms of non-disclosure and IP agreements. Ask pointed questions like: Do you have company information/data stored on a personal cloud? Do you have USB or other external storage devices containing company information/data? Are you clear about what constitutes company intellectual property? Do you understand the non-disclosure and non-compete forms you have signed?
• Transfer data from the cloud. These steps documenting how to securely transfer data from the Google Suite are a good reminder of the types of steps to take when revoking access to cloud repositories. Beyond securing and revoking access, you must take steps to save and transfer data and wipe mobile devices.

The employee exit process often devolves into a fire-drill for IT teams. Having a documented process and a strong relationship with HR can help your team go from reactive to proactive.