When employees leave a business or organisation, there are many actions that need to be taken to maintain security. Here’s a summary of some of them in relation to the health and continuity of the business and to fulfil legal and stakeholder responsibilities.
Different Reasons, Same Actions
Members of organisations inevitably change over time. They may leave (e.g. to go to another job or move away) may be asked to leave, or many other reasons. For businesses or organisations to fulfil their responsibilities to themselves, their shareholders, customers, other employees, and data laws, and to allow them to act quickly when the time comes, it pays to have at least a (preferably, updated) checklist in place to ensure that security is maintained and weaknesses, threats, and disruption are minimised.
Examples of the kinds of potential threats that an organisation may need to guard against on employee exit include:
– Damage, theft, and disruption – In addition to the risk of data theft, attacks on a company’s systems and network, which may have been facilitated by not having security measures or procedures in place for employees leaving/retiring, can cause costly and disruptive damage.
– Insider threat – One of the dangers of not managing the departure of an employee properly is that a business could then have an ‘insider threat’ (i.e. a former employee, contractor or partner with access rights and logins that still work). This could lead to private company business being leaked (possibly to competitors), industrial espionage, opportunities for extortion, access being gained to financial details, customers stolen, and more. A recent IBM study found that insider threats account for 60 percent of data breaches.
High profile examples of organisations that have suffered data breaches at the hands of ex-employees include:
– Broadcasting watchdog Ofcom, which suffered a large data breach in 2016, where a former employee downloaded around six years’ worth of third-party data before leaving for a new job at a major broadcaster. The data was then offered to the new broadcaster who informed Ofcom.
– Back in 2013, a disgruntled Morrison’s (ex) employee (IT Internal Auditor) Andrew Skelton copied the payroll data of 99,998 Morrison’s employees to his personal USB stick and then posted the data on a file-sharing website. This resulted in a Class Action lawsuit being launched against Morrison’s by over 5,000 employees, with Morrison’s being found “vicariously liable” for the breach.
The examples above highlight one important reason for closing any potential holes in security on employee exit which is the legal responsibility under current data laws. The United Kingdom General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018 (an updated version of the DPA 1998) are the main legislative frameworks covering how a businesses or organisation in the UK should manage the protection and handling of data. Within these, the data controller (i.e., you and your company/organisation) hold the responsibility for data matters.
Protecting that data is important both to protect those whom the company holds data about, and to protect the company itself from legal penalties, damage to reputation and more. As well as personal data, a business needs to ensure that other sensitive data such as financial records, intellectual property and details about company security controls are all protected.
These threats and responsibilities demonstrate that businesses and organisations need to address them as part of due diligence. This can be done by developing a built-in company procedure when an employee leaves for whatever reason.
This company procedure could be built around a checklist / a kind of security audit that takes the following into account:
– Emails are a window into company communications and operations and a place where sensitive data is exchanged and stored. It is also a common ‘vector’ for cyber-criminals. With this in mind, managing the email aspects of security when an employee leaves/retires is vitally important. Measures that can be taken include revoking access to company email, setting up auto-forwarding and out-of-office replies, while making sure that you mention who the new contact is. Also, it’s important to revoke access to/remove login credentials for other email programs used by the company to communicate with customers and other lists of stakeholders, for example via mass mailing programs with stored lists, such as Mailchimp.
– Revoking access to company systems and networks. Employees have login details and rights/permissions for company computer systems and networks. Access and logins for these should be revoked for the employee when they leave.
– CRMs provide access to all manner of data about the company, its customers, its other stakeholders, sales, communications and more. Login access should be revoked when an employee leaves.
– Collaborative Working Apps/Platforms and shared, cloud-based, remote working platforms (e.g. Teams or Slack) also contain direct access to company data. Make sure that a departing employee can no longer have access to these groups.
– If the departing employee has a personal voicemail message on the company phone, this also needs to be changed.
– A leaving employee will need to return all company devices, and this implies that a company should have procedures in place to keep a record of which company devices have been allocated to each employee.
– Retrieval of any backup/storage media (e.g. USBs) may also help to prevent some security threats.
– Although it is best to store all online documents in a shared company folder that you have control over (e.g. in OneDrive), it is possible that an employee has stored items in separate folders on their computer. Making sure that these are transferred to you or deleted when the employee leaves can help to maintain levels of security.
– Having a policy in place for the regular changing of passwords can work well anyway as a fail-safe but also, changing any passwords shared with multiple members of staff is an important measure to take when an employee leaves.
– If the departing employee was authorised to use company credit/debit cards, changing the PINs for those cards is another step that needs to be taken to maintain security with the company/organisation’s finances.
– Letting the company team/person responsible for IT security know that a person has left, particularly if the person left ‘under a cloud’, is another way that you can help to close security loopholes.
– Making sure that all company-related keys, pass cards, ID cards, parking passes, and any other similar items are retrieved is something that should be done before the ex-employee leaves the premises for the last time.
– If the employee has been issued with physical documents (e.g. a handbook) which contains information and data that could threaten company security, these need to be retrieved when the employee leaves.
– If the departing employee’s email address and extension feature on the website and/or is that employee is featured as being in the role that they are departing from, this needs to be removed from the website. Also, check that company social media doesn’t indicate that the departed employee is still in their role (e.g. on LinkedIn and Facebook). You may also wish to make sure that the ex-employee doesn’t feature in the business online estate (e.g. at the top of the website home page) or other prominent pages.
Where companies offer ‘Bring Your Own Device’ (BYOD) meaning that employees can bring in their personally owned laptops, tablets, and smartphones to work and use them to access company information, this could pose an additional level of threat on employee exit. This threat may be lessened where companies opt for different types of BYOD such as corporately owned/managed, personally enabled (COPE), choose your own device (CYOD), personally owned and partially enterprise managed or personally owned with managed container application.
In any case, BYOD should be always accompanied by clear policies and guidance as part of effective management.
Ex Employee’s Legal Responsibilities
It should be remembered that, although the business / organisation has legal responsibilities to protect company data, the ex-employee is also subject to the law for their behaviour. This is of particular importance where an employee, who has dealt with the personal details of others in the course of their work, leaves or retires. For example, the ICO prosecuted a charity worker who, without the knowledge of the data controller (Rochdale Connections Trust), sent emails from his work former email account (in February 2017) containing sensitive personal information of 183 people. Also, a former Council schools admission department apprentice was found guilty of screen-shotting a spreadsheet that contained information about children and eligibility for free school meals and then sending it to a parent via Snapchat.
What Does This Mean For Your Business?
Having a regularly reviewed and updated procedure in place for the steps to take during an employee’s exit is an important part of due diligence, legal responsibility, responsibility to all stakeholders, and is a way for a company to protect itself from preventable threats in the future. This procedure, therefore, feeds into business security and business continuity and is also an argument for making sure that employees work within monitored and controlled company systems rules and procedures, thereby making it easier to close all loopholes and minimise threats on employee exit.