by Lynn Brown
A few years ago, a spiteful employee who had been fired from a large hotel organization (but still had access to the system) used his home computer to maliciously reduce the room rates of the hotel from $159 to $400 to $12 to $59.
While the breach was quite damaging and cost the company thousands of dollars, it also underlined the importance of protecting confidential information from disgruntled ex-employees to all organizations.
According to the FBI, ex-employees have been known to destroy data, steal proprietary software and other information, obtain customer information, and use company and other accounts to purchase unauthorized goods. The costs of these cyber incidents ranged from $5,000 to $3 million.
Ex-employees also take confidential information with them physically when they walk out the door. Over one-third (35%) of respondents in the 2017 Dell End-User Security Survey admitted that it’s common to take proprietary company information after leaving a firm. Company data is also transported on USB drives or email.
The Dell survey also showed that more than two-thirds (36%) of employees who take information take samples of work they have worked on while 16% take work that others have completed.
In an earlier survey, Biscom reported that about 95% of respondents were able to take data they hadn’t themselves worked on because the company either didn’t have policies or technology in place to prevent data stealing, or policies weren’t followed.
Here is how to make sure that ex-employees are not walking out the door with sensitive data.
Publish and circulate a Data Security Policy that identifies confidential data and explains security procedures.
- Use on-going employee training to educate employees, and to emphasize the ownership of private information.
- Make sure policies to prevent data theft are strict, embedded when possible, and supported by technology. For example, use secure tools that store and track company data.
- Consider workplace surveillance and/or random monitoring on employees’ computers (written consents will be required).
- Encrypt any confidential information in transit.
- Implement a Clean Desk Policy so employees keep the workplace tidy. This should also include post-it notes containing confidential information.
- Consider introducing non-disclosure agreements about confidential information, and asking employees (and third parties) to sign them.
- For every employee, restrict access only to the information that is needed to do the job.
- When an employee resigns or is terminated, be sure to obtain their computer passwords and change them immediately, to ensure that there is no opportunity for the ex-employee to download or access any data remotely.
- Check the terminated employee’s mobile devices to make sure they don’t contain confidential information owned by the company. If confidential data is found, consider whether the hard drive should be destroyed.
- Inform all business partners that the employee has been terminated.
- Have a clear document destruction policy so that all documents are securely destroyed when they are no longer needed. Partner with a document destruction specialist that provides secure paper shredding and hard drive and e-media destruction services.