The data security threat from former employees

Every month thousands of people leave their jobs. The question every business owner should ask — before that employee walks out the door for the last time — is what company information are those employees taking with them when they leave.

From passwords to the business Twitter account to confidential client lists and files stored in a personal Dropbox account — the intellectual property of your organization could be walking out the door.

The 2014 Intermedia (business applications cloud-hosting vendor) SMB Rogue Access Study was released in August 2014. Based on a survey of knowledge-workers performed by Osterman Research, the report quantifies the staggering scope of the “Rogue Access” problem and presents a wake-up call for every business — regardless of size.

Following are some of the findings:

• 89% of those surveyed retained access to Salesforce, PayPal, email, SharePoint or other sensitive corporate applications.
• 45% retained access to “confidential” or “highly confidential” data.
• 49% logged into their ex-employer accounts after having left the company.
• 68% admitted to storing work files in personal cloud storage services.

How are they accessing this data?

The survey also revealed that 60% of employees were not asked for their cloud logins during the exit interview. This simple omission opens the possibility for unauthorized access to various company applications such as Salesforce, PayPal, SharePoint, Facebook, Basecamp, Shopify, Desk.com, Office 365, Google Apps, Mail Chimp and WordPress – to name just a few commonly used programs and platforms.

Former employees could expose your private customer data, and you are responsible.

The data breach risks of Rogue Access are significant. Disgruntled ex-employees could steal money from PayPal, falsify financial details in QuickBooks, or post inappropriate information on company social media platforms. Well-intentioned ex-employees might accidentally delete important files from their personal cloud storage service. There are other legal risks, such as the inability to complete eDiscovery or the failure to comply with federal and state regulatory obligations to protect sensitive personal information.

A review of recent FBI cyber investigations revealed businesses that were victims incurred significant costs ranging from $5,000 to $3 million due to cyber incidents involving disgruntled or former employees.

How to reduce unauthorized access

The following steps can help any organization monitor this threat.

Establish a security and compliance group: This group should control which employee has access to various services, including cloud-based platforms as well as internal applications.

Create strong IT policies: Create policies that include a list of approved sites and services. Employees should be instructed only to use company logins for apps, software, sites, and services instead of using any personal user ID and passwords.

Role-based access to applications: Every employee does not necessarily need access to every application. Creating strict approval processes for each employee or employee role within the organization will improve the security of your information. Approval for access to secure platforms should be in two separate steps. The first approval should be by the employee’s direct manager and the second approval by a senior executive. Documentation of the approvals will make sure the organization has a record of which employees have been granted access to which platforms.

Password management process: Some type of central repository for administrative logins and passwords for each employee should be maintained.

Any shared accounts/logins should be eliminated: One person should be assigned to a particular account. If you share login information among several people to reduce your subscription costs, be sure to change the passwords at least on a monthly basis.

Conducting audits on a regular basis: Auditing all the user accounts on a regular basis will help make sure procedures are being followed. Audit reports should be reviewed by management to maintain consistency. Ensure that the track record is maintained for all the apps used, irrespective of the departments.

When an employee is terminated, follow these six recommendations:

1. Create an employee termination checklist and strictly follow its guidelines.
2. For all terminations, a distributions list should be created. Just as one would inform the appropriate people of a new person joining the organization, notification should be sent to appropriate people when someone leaves.
3. When an employee is terminated (voluntarily or involuntarily) their email accounts should be forwarded to their direct manager. This will help ensure that all emails and reminders and other information can be retained and acted upon when necessary.
4. Terminate all employee accounts. It is mandatory to end an employee’s account to all the services they accessed. Include any on-premises and cloud accounts. If an employee is the first and only contact for anything related to an online account or task, ensure that the contact person is reassigned.
5. Go through the apps that the employee may have saved on a single sign-on portal. This helps you know what applications the employee may have saved and installed without informing the IT department. This ensures that the employee cannot access anything after having left the job.
6. Retain all business assets. These would include laptops, phones, ID badges, software, and any other physical or intellectual property. If an employee used any company provided equipment, it needs to be turned in during the exit interview.

When angry ex-employees leave and join a new firm, they often seek to gain a competitive advantage. They can do so by using their access from a former employer to steal software, destroy data, or provide proprietary customer information. When an employee leaves on good terms, they may inadvertently destroy valuable proprietary information.

Following the guidelines listed above will help you take appropriate steps to protect your organization’s proprietary intellectual property.

What additional steps does your organization take to protect private client information?

Published in collaboration with LinkedIn

Author: Steve Anderson is an authority on insurance technology.

Image: A hand is silhouetted in front of a computer screen in this picture illustration taken in Berlin. REUTERS/Pawel Kopczynski