Most of the employees are honest, well-mannered people. They are expected to behave courteously even when they leave the company on bad terms. Almost all of them will act as they have behaved, but when they don’t, they can pose a huge threat to the company. Protecting the company’s data (and systems for some employees) in today’s world is even more difficult: some of the company’s data can be in the cloud, some data may be accessed with application-specific credentials or the data may be on the employee’s device in a BYOD scenario.
But how can we protect company’s data?
Being a Microsoft Certified Trainer, I regularly deliver training and read about many products that provision and deploy devices and applications. More than 90% of the training and the product brochures include “provisioning” and barely touch “deprovisioning.” When I am in the field and speak with the company representatives they simply do not give deprovisioning too much importance. How can a so crucial element of security be regarded as second class?
The first line of defence in protecting data from ex-employees is the deprovisioning. It is best to define what actions to take in an employee contract termination case with the Human Resources department. Once the steps are defined, it should be automated. I would suggest a scenario where the termination steps are laid out in detail as a checklist, is carried out automatically, ends up in account manager/administrator who verifies every step in the checklist by checking the systems. You can call the final step redundant, but considering the importance of the task, I think the final control is essential.
Automation and deprovisioning can be as simple as disabling the employee’s account at a first thought. I seriously wish it were. First, sensitive employee records such as phone numbers, addresses, social security numbers are kept in the personnel department files/databases. From the company’s perspective this data should be archived for security reasons. Second, from the governance perspective, the employee’s files should be classified and archived accordingly. Finally, access to such type of information could be through another system which is not widely used and thus easily overlooked/forgotten. And imagine the ex-employee somehow having access to all these information.
From a business perspective, contract termination procedures can start even before the employee leaves, if he is working in a data-intensive or business critical department. In other cases, the employee’s manager can ask to keep the account open for a predetermined time. Such cases should also be considered and detailed with the HR, so that appropriate termination steps could be determined – how will the termination be triggered, what is the maximum time allowed for the account to be open, in such a case what applications will be available etc..
Next, similar to deprovisioning, devices should be wiped in a Bring Your Own Device (BYOD) environment. The organizations need to know what data is kept on the device, how it is accessed and what data should be wiped. For example, an employee’s e-mail account could be disabled but he still can access his old emails by just tapping “Cancel” in the credential dialogue in the email application. But how will the corporate IT avoid such scenarios? Mobile Device Management provides some solutions depending on the product but I cannot say it is 100% effective. Today, there are solutions like KNOX who try to address the problem on Android platform, but its success is still being questions.
To protect the company in such cases, the employees should be required to sign a written agreement which explicitly states that the employee will not retain corporate data on his device after his employment contract is terminated. The agreement should also make it clear that it is employee’s responsibility to password protect corporate data and he is to install and maintain applications that allow remote wipe and gives the company the permission to remotely access and wipe corporate data from his device. I would also recommend to put an item in the Human Resources exit interview checklist to remind the employee that he is not allowed to retain corporate data on his personal devices.
And finally, there is the issue of the uncontrollable cloud. An employee can visit a cloud storage service and upload all the sensitive documents, log off and leave the company. It is extremely hard to manage such issues from an IT perspective. What I recommend the companies for these cases is to have an allow/reject list of web services and block the websites in the reject list. You may be surprised to hear such a recommendation from a person like me, but sometimes such things are inevitable. If you cannot control the flow of data in your network, you cannot just let it go. If you cannot provide 100% of protection, at least make it harder to copy. You can implement Active Directory Rights Management services if you are operating a Windows network, you can block access to sites like Dropbox, OneDrive etc. (for the employees who need to use such services you can ask manager’s approval or define an access approval policy). You can also put a clause in the employee agreement which clearly states that business critical data cannot be uploaded in the cloud services, e-mailed to outside e-mail addresses / accessed from the non-company network / downloaded to personal devices. You may argue that none of these can prevent an employee from taking photographs of the screen but at least you are making it more difficult for them to access and take away corporate data. If you make it such difficult when the employees are working, you have less reasons to wonder when they leave.
Here is my advice on protecting corporate data from the ex-employees. How do you protect your corporate data? What are your measures? Let us know in the comments.
- Featured image: http://www.elatewiki.org/