As companies grow and shrink, people naturally move to different jobs. If a company gets hot, there is a natural tendency for it to attract people from numerous backgrounds and professions. Just look at the growth in Silicon Valley in the last 10 years as Apple, Google, Facebook, Salesforce and many others have grown dramatically and become household names.
As people advance throughout their careers, they create and have access to sensitive information. In the past it was simple to prevent a person leaving a company from taking sensitive information. Today it is more challenging as cloud and mobile computing proliferate business.
A recent study by Intermedia and Osterman Research on “Preventing Rogue Access” showed some alarming statistics that should cause companies to review their data security practices. Here are just a few showing the access maintained by ex-employees:
89% retained access (login and password) to at least one corporate app from a former employer
45% can access “confidential” or “highly confidential” data
49% actually logged into ex-employer accounts after leaving the company
68% admitted to storing work files in personal cloud storage services
Technology is ahead of a company’s ability to control how its employees use it. Some are very proactive in data security and others are just keeping their heads above water. While many companies have a comprehensive on-boarding process for employees, the off boarding process may not be as comprehensive.
Here are a few tips from the Intermedia report on offboarding an employee.
- 1. Maintain a distribution list for terminations that informs key departments (Finance, HR, Facilities,
Legal, etc.) when an employee is leaving.
- 2. Reroute all email accounts of a departing employee to her or his manager for the first 2-3 months so that important messages are retained and handled.
- 3. Terminate all employee accounts to every service and system, both on-premise and in the cloud.
- 4. Review the apps saved in your employee’s single sign-on portal, since many may be provisioned or used without IT’s knowledge.
- 5. Collect all company assets, including hardware, software, ID badges, external hard drives and any company-owned equipment an employee may have used as part of a home office.
Since employees many also have sensitive files in numerous work and personal locations, it’s best to immediately revoke access to those files. You can only do that if you have file-based security in place to control access to this information. Removing a user from an internal directory service, like Active Directory, is the best way to remove access to files and internal systems.
If an ex-employee tries to access that information following termination, they can’t do it. File encryption plus a centrally controlled security policy ensures the company is always in control of the file and can immediately terminate all access to the ex-employee.
Photo credit US Army Corps of Engineers