When a member of staff leaves it could be a data breach unless you’re careful.
Imagine you have an employee who has decided to leave your business for a competitor. They’ve been with you for 10 years and have developed close relationships with clients.
What are the risks?
They have large amounts of confidential corporate information stored on their company-owned and personal devices.
Data that you no longer have control over is a data breach. GDPR regulations, being enforced from May 25th, state you have 72 hours to report this to the Information Commissioners Office and tell them what you are doing about it.
You’ve now got to tell a lot of people that their data has been compromised. That will make a big dent in your reputation.
All that data in the hands of your competitor. What are the chances you are about to lose a few clients?
So what can you do about it?
It’s likely that your employees are using company laptops, which they’ll hand back at the end of their employment. The data is secure but have they sent it elsewhere prior to handing it back in?
Monitoring applications on networks are common to ensure employees are keeping company data secure when using company-owned devices. You can easily check what has happened. What has been emailed? Have personal email accounts been accessed? What attachments have been added to emails? What has been transferred onto a USB stick or other device?
Issues arise when personal phones and devices are used under a BYOD (Bring your own device) policy. Everyone has their own preferences for the types of phones they work best with. Companies often allow their people to use their own phones and claim expenses for calls and/or data.
If employees are using their personal devices, there’s a high chance they have sensitive or confidential company information stored on them. We all use our phones for email and often for other applications, such as Word or Excel. They may even have access to your CRM via an app.
Data needs to be wiped for employee’s devices when they leave. This is where Mobile Device Management (MDM) becomes useful.
Using MDM tools such as Sophos Mobile, means employees can use their personal devices for business. It gives you control over all corporate content stored on their phones without having to manage the device itself.
When an employee decides to leave, company information they have stored on the device can be tracked, controlled and deleted. So, they’ll no longer have access to your confidential data.
To find out more about MDM, please click here.
Leaving old email accounts open creates a IT security risk, so it’s normal to deactivate them. When an employee leaves, their work email account may be deleted promptly or left open for a short period.
But are you checking their account for new emails? The chances are they’re still going to be receiving emails from potential clients and customers who may not be aware they’ve left.
You will need to re-direct these emails to another employee’s accounts, otherwise you may be missing out on valuable sales opportunities.
Alternatively, you can set up an auto-response which explains that an employee no longer works at your company and they will need to adjust their contacts appropriately.
Next is the issue of employee personal emails.
If an employee is leaving to start at another company, maybe a competitor, there’s a risk they may take valuable information with them which could harm your sales turnover. For example, a sales employee may try to take his clients with him, so he emails his client list from his work email to his personal account, or even accesses his personal email from his work machine.
If this was to happen, again, new GDPR guidelines state that you have 72 hours to report the data breach to ISO. You will have to give information about the breach as well as what you’re doing to resolve it. For more information about how to report a data breach, click here.
So not only is this about protecting data from a breach and keeping your clients, it’s also about protecting your reputation.
To avoid employees making this data breach, companies can include a clause in their IT policies which stops employees being able to send certain files to email accounts that open in a browser e.g. Hotmail accounts.
Using certain software such as Sophos allows you to track and monitor what your employees are sending, as well as block them from sending specific types of files, such as excel spreadsheets, via email. This ensures no confidential information leaves your company with your soon to be ex-employee.
What happens to their USB devices?
USBs make data theft easier and the storage capacity they hold is continuing to increase. So, if an employee uses a USB to copy client lists or important files, they can leave your office with huge amounts of confidential data.
To avoid this happening, you can use software such as Sophos Endpoint Protection to block all but authorised USBs.
You can also track and monitor the information going in and out of USB ports, giving you a better idea of what data employees have access to.
If you need help with your IT security to ensure your data is protected when an employee leaves, please don’t hesitate to get in touch.