The Do’s and Don’ts of Data Protection and Past Employees
This article is sponsored by Intermedia, one of our partners, and they provide Insight with content to share with our audience.
Ever wonder what leaves your company with employees? While it could be a stapler or file folders, it may also be data.
We are referring to your company’s sensitive and confidential data. With data breaches at an all-time high, it’s time to think about more than just cyberattacks. What about rogue IT access that happens from within your organization’s walls before an employee’s last day?
Resentful employees stealing corporate information and data has increased over the past few years. In fact, it has received national attention recently due to the ongoing litigation between the venture capital firm TPG Capital LP and Adam Levine (no, not that one), a former spokesperson for the firm. Levine was denied a promotion and, in return, stole confidential documents.
While bitter attacks like this happen, past employees still have access to former employer’s IT systems.
This leaves a huge “open field” for them to access and use confidential information.
The majority of your employees as well as former ones will not use your sensitive, confidential company information maliciously. However, Osterman Research found 68% of them stored work files in personal cloud storage.
“First and foremost, if you have sensitive or confidential data stored in Dropbox or Google Drive or any of the other personal employee accounts, you potentially run afoul of data breach notification laws,” said Michael Osterman of Osterman Research. “This data is now accessible by someone in another company. That means, in many cases, you have violated the data breach notification requirement that requires you to protect that consumer financial data or protected health information from unauthorized parties. And certainly, an ex-employee would be an unauthorized party.”
Here’s what your company can do to protect sensitive, confidential data from being opened and shared:
- Ignore employees who are showing red flags of being disgruntled.
- Ignore online activity of employees that are going to be terminated or who have given their notice.
- Implement a system to log online activity and alert IT managers of suspicious behavior.
- Review network activity for departing employee(s) leading up to the employee’s last day.
- Require HR to review confidentiality and IP agreements with employees who give notice or who are terminated.
- Utilize an offboarding checklist to prevent rogue access.
- Revoke computer access to departed employees on their last day.
- Change administrative passwords immediately following the departure of IT personnel.
Such attacks could prove lethal for companies with losses ranging from $5,000 to $3 million. But if you follow the Do’s and Don’ts listed above, an internal attack can be avoided. Let us know if we can help with processes for managing IT employees, onboarding and offboarding employees, as well as advising your regulated company.