Protecting your business data when a staff member leaves
See part 1 here
Staff leave businesses for all sorts of reasons, sometimes it’s amicable and other times not so much, when this happens you need to have a plan for how you are going to protect the business data to which they had access.
There are really two separate considerations here, the first is ‘How do we stop the ex. staff member from accessing our live data?’
This is a process that you are no doubt already familiar with, this is the bit where we disable user accounts, change passwords, revoke building pass cards and collect laptops and other devices from the soon-to-be ex. staff member. This is the obvious stuff and it is an important step but it doesn’t take in to account at least one very important consideration.
It is very common for staff to use their own personal devices to access company data and this has become far more prevalent in the new working-from-home world we live in today.
How do we secure business data left behind on personal devices?
When a user’s account is disabled or deleted any data that they may have had synchronized on their own personal device (email on a mobile phone for example) will remain, at present there is no way to force the removal of that data which means that an ex. staff member who was using their own computer to work-from-home probably has copies of your business data on it.
Without an enforceable technological way to remove this data you must rely on policy, process and trust to deal with this situation.
Your company policies should state that upon termination of employment the person is required to destroy company data in their possession on their personal devices.
Your procedures should support this policy, when a staff member leaves you should have your I.T. department inspect any personal computers and devices which were used by that employee.
Of course all of this relies on trust, you need to have faith that your polices and procedures will be followed and that the ex. staff member will be cooperative.
If you don’t want to rely on policies, procedures and trust there is one other option – change your policies and have your I.T. department enforce them to only allow access to company data from company owned equipment, then all you have to do when an employee becomes an ex. employee is make sure you get the equipment back.