5 strategies to protect digital assets from terminated employees
When an employee leaves your organization, they can potentially take with them knowledge and access to valuable data that can create serious problems.
In the first article of this series, we identified the many risks that a departing employee can pose to a company’s digital assets, ranging from unintentional lapses like backing up data on personal, unsecured devices to malicious behavior like accessing payroll to claim funds that belong to another employee.
This article will address five strategies to help protect data regardless of the intent.
1. Know your company’s data flow and identify potential sources of data leakage.
You cannot defend your digital castle without knowing where to place your guards. Thus, companies must determine:
- What kinds of data they maintain.
- How data is collected, stored, used, and destroyed.
- Where data is stored, copied, and backed up.
- Who can access the data, how access is decided, and how access is policed.
- The potential avenues through which data can be exfiltrated to a location beyond the company’s control.
The good news is, many companies have already thoroughly mapped their data flow and performed a vulnerability analysis. The bad news is those that have not probably have more significant concerns than departing employees because they are likely not in compliance with some U.S. and foreign cyber security and data privacy laws (GDPR being the most notable example).
Nevertheless, no matter how secure an environment a company believes it maintains, it is certainly not uncommon for companies discover unanticipated vulnerabilities after significant or embarrassing damage is done. It could even be something as simple as a forgotten legacy database available to a large set of employees that copies information from a more restricted database.
Even so, a company cannot hope to reasonably anticipate potential sources of data leaks unless it can track the complete life cycle of its data from creation to disposal.
2. When it comes to access rights, follow the principle of least privilege.
Many employees test the limits of their access at some point during their employment, typically by simple “data snooping.” Employees should be granted as few privileges as possible, preferable only those necessary to perform their job. This applies to data access privileges, computer and device privileges, application privileges, network privileges and internet privileges. As clear-cut examples, only the appropriate level of management should be granted access to “big picture” financial data and very few employees should ever be given administrator level rights to their computer.
At the end of the day, it is significantly more difficult to exfiltrate data if the employee does not have access to the data in the first place.
3. Completely deactivate access on the employee’s last day.
To avoid cutting off access too quickly or too late, this step requires close coordination between the employee’s managers, HR, and IT. Ideally, create a written protocol for departing employees using your data flow map as a guide to help ensure that all potential avenues of employee access are accounted for, including email, network and remote login credentials and mobile device access. Do not disable the employee’s email account, however. Instead, make sure the employee’s emails are forwarded to a manager’s email account so that they can be monitored. Also, change the passwords of all client, vendor or third-party accounts linked to the departing employee (Salesforce, ADP, etc.). Finally, remotely wipe all company data from the employee’s mobile devices.
4. Always conduct an exit interview.
The exit interview is probably the most effective way to prevent data retention. While it can be a valuable tool for soliciting employee feedback, ensuring that coworkers know where data has been stored and recovering company property, it is also your company’s first opportunity to assess any threat the employee may pose.
If the employee executed a non-disclosure or non-compete agreement, give the employee a copy and review it with them. Even if employees did not execute any formal agreements, still remind them that they are prohibited from using or disclosing your company’s confidential information. Also, formally request that the employee return all company property, including mobile devices and credit cards, and agree to a process for returning them. Finally, if the employee is subject to a restrictive covenant, ask the employee where she will be working next and what her new job’s roles and responsibilities will be.
While employees are not always honest during exit interviews, a misrepresentation about their next job is certainly relevant in any subsequent litigation. Take notes of what the employee tells you, or better yet, prepare a written exit interview questionnaire for the employees to complete in their own handwriting. Finally, make sure you confirm the employee’s contact information, including a mobile phone number and email address.
5. Trust but verify – audit departing employees’ activities and preserve evidence.
Following separation, review the employee’s computer to determine if the employee recently deleted any data, connected any storage devices or ran any unauthorized programs that did not require installation (such as encryption or erasing applications that can load from a flash drive). Additionally, most network servers and content archiving systems have logging capabilities that allow a company’s IT department to create various levels of alerts triggered by suspicious activity.
While exactly what constitutes “suspicious activities” is highly fact-specific, common examples include: multiple attempts to access unauthorized data or certain classes of unauthorized data, bulk file copying of any kind, attempted installation of unapproved software, a new mobile device, the use of a non-company virtual private network and remote access that is inconsistent with the employee’s historical usage.
If you are confident with the rules you set up to trigger alerts, then review all alerts associated with the employee for at least the last 90 days. If you are less confident that your alert rules will identify suspicious activities, then manually review the employee’s activities for the last 90 days.
If any behavioral anomalies warrant further investigation, turn off the employee’s computer and arrange to have it forensically imaged and analyzed. If your IT department has the capabilities to conduct a forensic review, then make sure to image the computer’s hard drive first because continued operation of the computer on can overwrite evidence of recent suspicious activity.
While the threat of data leakage can never be eliminated, it can be minimized and mitigated with proper security practices which anticipate how a company’s data can leave its control.
Departing employees present a particularly vulnerable attack vector because they typically know what data they have access to, where it is located and how it can be copied. Companies must therefore make sure to take this risk seriously by incorporating strategies for dealing with departing employees into its security program. Your company’s survival may very well be at stake.