Risk management: redundancies – exit procedures

As redundancies continue to rise and firms are forced to offer sabbaticals or
four day weeks, many former loyal employees become disenchanted; where key
people are leaving, or being asked to leave, the importance of sound exit
procedures cannot be over-emphasised.

According to a recent survey of US workers, six out of ten employees stole
company data when they left their job last year. The survey, conducted by the
Ponemon Institute, polled those with access to a range of sensitive information
including customer data, contacts lists, employee records, financial reports,
confidential business documents, software tools and other intellectual property.

This may come as a surprise to some, however, with more and more information
being held electronically by firms, the scope for acts of computer sabotage and
vandalism from disgruntled employees, as well as the destruction of
incriminating evidence, has dramatically increased. As for the costs of these
types of breaches: security firm McAfee estimated that total global economic
losses from data theft and security breaches at $1trillion last year. So what
processes can you put in place to safeguard your intellectual property?

First and foremost, firms need to consider the ‘what if’ scenarios of staff
that are leaving. What if this junior accountant has access to client databases?
What if the finance manager has copied out passkeys to our bank accounts? For
anyone leaving there should be consideration of the person’s ‘evidence
landscape’ and what digital evidence recovery techniques might be needed if an
investigation is needed.

When recovering digital evidence, the initial step is to capture the entire
contents of a user’s PC. The earlier this is done the less the chance of
evidence tampering or destruction. In terms of a leaver’s PC, why not capture
this as part of the exit procedure? The ‘image’ can be stored with the personnel
file just in case something needs investigation in the future. This plus a copy
of the user’s profile and a backup of their server email can save hours in any

The cost is minimal compared to the cost, time and potential reputation
saving that could be achieved by having evidentially secure data to investigate.
Once the data is captured and after only a few hours, the PC can be safely
rebuilt and issued to a new user or sold.

The exit policy should be owned by the HR department but needs absolute
support from senior management. It may need further support from external
specialists to provide a level of independence. Set out below is a checklist of
steps that should be taken as soon as the employee is notified of their
redundancy, or indeed as soon as possible after a resignation:

Leaving in an orderly fashion

  • Where the employee is being removed from the workplace, accompany them at
    all times until they leave the premises
  • Ensure the employee surrenders all company-owned laptop computers,
    notebooks, PDAs, mobile telephones or other electronic devices or access control
    devices assigned to him, as soon as informed of his
    resignation/dismissal/suspension. It is important to ensure that the employee is
    not given an opportunity to ‘tamper’ or wipe such devices clean before returning
  • HR must make the IT department aware of imminent departures. Employee’s
    computer accounts should be deactivated immediately, including remote access and
    database accounts.
  • Particular care is needed where the disaffected employee is a network or
    systems administrator. Such employees may implement unauthorised ‘back doors’
    into the systems to obtain remote access regardless of whether their official
    dial-in account is deactivated.
  • Home working and remote users pose additional risks and difficulties, all
    the more so if they use their own computers, PDAs, mobile telephones or other
    devices to connect to company networks. The company will normally only have a
    legal right of access if they are its de facto property (see box).
  • The return of any company equipment used at home should be done in the
    presence of the employee at the earliest possible opportunity, and preferably on
    the day of his being notified of his redundancy/dismissal/suspension. There is
    an issue, certainly in the UK, where there is need for a consultation period
    prior to an employee actually leaving the company; this is a high risk time and
    companies should be particularly vigilant during this period. The employer
    should always retain proof of purchase to prevent disputes about ownership
  • Ensure data from computer systems (including laptops etc) is secured in a
    forensically sound manner and archived in the event that the employee brings a
    tribunal claimEnsure remote access server and network audit monitoring are
    effective to record any attack on the systems – without audit trails and event
    logging, it will be difficult to prosecute for computer misuse
  • Security passes should be deactivated and returned, but in some cases it may
    also be appropriate to advise security staff and receptionists that the employee
    is to be denied access, should they attempt to return to the building.
  • Telephone answering systems and voicemail should be secured against
    tampering or the unauthorised re-recording of answer messages.

Finders keepers

In many jurisdictions, the unauthorised inspection of a computer system (e.g.
one purchased by an employee) constitutes a criminal offence – in the UK, for
example, such inspection constitutes an offence under Section 1 of the Computer
Misuse Act 1990. If possible, the organisation should stipulate a ‘right of
access’ to computer systems used by any employee for business purposes at home,
as part of the standard employment contract. This ‘right of audit’ is rarely
written into employment contracts, and it is normally not possible to access
peoples’ home computers without a court order. This is the case even when the
employee is in possession of company data.

Martin Baldock is general manager of Stroz Friedberg’s
UK offices in London and Leeds

Related reading