How to Protect Data for Departed Employees: Office 365 and Other Tips – Interview with Bob Spurzem, Director of Field Marketing for Archive360
What are the main challenges that IT must deal with when employees leave the company?
BS: No matter what type of organization we’re talking about, each and every time that an employee leaves the company for any reason—whether by quitting, being laid off, or being fired—IT administrators must quickly rescind that person’s access to corporate networks while simultaneously preserving the employee’s data. Yet accomplishing these tasks effectively may be trickier than you’d think.
While we’d like to believe that everyone is ethical, the fact is that some employees take email lists and other company data with them when they vacate a job, even if they know that they aren’t supposed to steal this data. Some employees may still have access to their former employer’s computer network even when they are no longer working there. One reason why people might want to take this data along with them is to help them with their search for a new position.
Also, while an administrator might initially think it’s no big deal when an employee departs unexpectedly since they may underestimate how much data that person could easily take, they should keep in mind that a 256GB flash drive can hold over 15 million documents and files. Even if an employee doesn’t go the flash drive route, they could still easily take around 600 files in a 10MB email attachment.
Has there been research done around how common it is for departed employees to steal company data?
BS: Actually, there has been. After conducting interviews with people who switched jobs or were fired or laid off over the past year, the Ponemon Institute found some surprising statistics. More than half (60%) of people who leave a job take along company data that they are not authorized to bring with them. Nearly 80% of these employees said they were aware that the company did not authorize them to bring the internal data with them. What did they target on their way out the door? Almost two-thirds of them took e-mail lists. Why? Well, they were thinking about how they might use those contacts to get their next position: over two-thirds who admitted they stole data from their former employer said they planned to use it in their job search. And around one-quarter of respondents reported that even after leaving the company, they retained access to their former employer’s computer network.
To be fair, there are a few reasons that help us understand why employees may think that taking company data is no big deal. For one thing, even if the company has a policy in place, many companies don’t strictly enforce their rules about taking internal data when an employee leaves. Plus, the corporate data is often easy for employees to access since it is not secured. Employees may also think that it won’t hurt their former employer if they take and share the information.
What can companies do about this problem? Is there anything that IT can do proactively to help protect their data before employees leave?
BS: Fortunately, there are steps that companies can take to help secure internal data. Once management is aware of how pervasive and common this problem really is, then they can put processes in place to effectively manage departures of employees by developing both a comprehensive plan and a process for departing employees.
And to answer your question, there are definitely steps that IT can take toward data protection, but Human Resources and the Legal department should also be involved. As far as IT goes, though, there are often signs to watch for when an employee is departing—signs that can alert IT to the possibility that an employee may be planning to take data without permission.
What kinds of signals might employees give when they could be preparing to steal internal data?
BS: IT should stay on the lookout for a few telltale signs of unusual behavior before an employee’s departure is announced, so that they can be best prepared to manage this type of problem. Being proactive and preventive is important here, since once someone decides to leave, the turnover could happen very fast, making it hard for IT to protect corporate data at that point.
Some signs that suggest a person may be preparing to depart from the company include noticing that the employee has started copying many files to the cloud or external drives, or sending files in large email attachments to a personal email account. You might also see an employee start coming back to the office after their usual working hours are over, or even using their corporate email address to correspond with competitive companies. Suddenly seeing large volumes of documents being deleted is another red flag. Also, if more than one person is leaving a particular department at once, it could be to start up another company, in which case they might be planning to keep copies of key corporate files.
What types of data do employees usually focus on taking beyond email lists?
BS: Email lists are very popular since employees who leave often want data related to job function. In addition to customer and employee contact information and names, this might include product information/designs, price lists, intellectual property, or competitive information. Other common target data might be specific types of collateral like internal presentations, research reports, and sales data.
Many companies use Microsoft Office 365 cloud services. How can IT help protect data that Office 365 creates and manages?
BS: You are absolutely right that most enterprise organizations rely on cloud services from Office 365. Since this platform provides everything from email and calendaring services to productivity apps for file sharing and collaboration, it creates a huge amount of data to protect—and cloud-based services are notoriously difficult to reliably safeguard. With Office 365, there are two essential processes for IT to put in place in relation to employee departures. Your initial goal should be to control access to information, and your next one should be to preserve the data itself.
Let’s drill down into those details a bit more. What specific actions should IT take to manage data from departing employees’ Office 365 accounts?
BS: The first priority should be to block the employee’s ability to access Office 365 data and Exchange Online. Next, the administrator should work on preserving the files in the employee’s mailbox, and then on wiping and blocking any company-assigned mobile devices that the employee used. The employee might also have used company accounts on their personal devices as well—those should be wiped remotely. And don’t forget to remove the employee’s license to use Office 365 so it can later be assigned to another employee. Lastly, you should delete the user account for the departing employee.
There’s a lot to do. Would you say that when it comes to the data protection challenges that companies face, it’s really more of a people issue than a technical challenge?
BS: That’s a good way to put it, actually. When you think about it, there are many employees who have good intentions—those individuals are not likely to steal corporate files. However, there are certainly others who will target stealing company data. While you can’t necessarily prevent this from happening altogether, there are a few other technical steps I’ll leave you with when it comes to protecting a company’s data.
Setting up restrictions to access of confidential files is important both before and after a departure. I also recommend developing policies about proper use of company email and equipment—and enforcing those policies. This can help deter misuse and theft of company data, especially if employees receive training about the policies. It’s also prudent to duplicate and store the departing employee’s electronic documents in a secure repository in case they are needed later. Finally, I recommend that organizations always include confidentiality provisions in employment contracts—and don’t forget to mention those provisions again during exit interviews. While not foolproof, such best practices can go a long way in helping to secure valuable information during and after employee departures.