Risk management: redundancies - exit procedures
Make sure employees don’t leave with vital business data
Make sure employees don’t leave with vital business data
As redundancies continue to rise and firms are forced to offer sabbaticals or
four day weeks, many former loyal employees become disenchanted; where key
people are leaving, or being asked to leave, the importance of sound exit
procedures cannot be over-emphasised.
According to a recent survey of US workers, six out of ten employees stole
company data when they left their job last year. The survey, conducted by the
Ponemon Institute, polled those with access to a range of sensitive information
including customer data, contacts lists, employee records, financial reports,
confidential business documents, software tools and other intellectual property.
This may come as a surprise to some, however, with more and more information
being held electronically by firms, the scope for acts of computer sabotage and
vandalism from disgruntled employees, as well as the destruction of
incriminating evidence, has dramatically increased. As for the costs of these
types of breaches: security firm McAfee estimated that total global economic
losses from data theft and security breaches at $1trillion last year. So what
processes can you put in place to safeguard your intellectual property?
First and foremost, firms need to consider the ‘what if’ scenarios of staff
that are leaving. What if this junior accountant has access to client databases?
What if the finance manager has copied out passkeys to our bank accounts? For
anyone leaving there should be consideration of the person’s ‘evidence
landscape’ and what digital evidence recovery techniques might be needed if an
investigation is needed.
When recovering digital evidence, the initial step is to capture the entire
contents of a user’s PC. The earlier this is done the less the chance of
evidence tampering or destruction. In terms of a leaver’s PC, why not capture
this as part of the exit procedure? The ‘image’ can be stored with the personnel
file just in case something needs investigation in the future. This plus a copy
of the user’s profile and a backup of their server email can save hours in any
investigation.
The cost is minimal compared to the cost, time and potential reputation
saving that could be achieved by having evidentially secure data to investigate.
Once the data is captured and after only a few hours, the PC can be safely
rebuilt and issued to a new user or sold.
The exit policy should be owned by the HR department but needs absolute
support from senior management. It may need further support from external
specialists to provide a level of independence. Set out below is a checklist of
steps that should be taken as soon as the employee is notified of their
redundancy, or indeed as soon as possible after a resignation:
Leaving in an orderly fashion
Finders keepers
In many jurisdictions, the unauthorised inspection of a computer system (e.g.
one purchased by an employee) constitutes a criminal offence – in the UK, for
example, such inspection constitutes an offence under Section 1 of the Computer
Misuse Act 1990. If possible, the organisation should stipulate a ‘right of
access’ to computer systems used by any employee for business purposes at home,
as part of the standard employment contract. This ‘right of audit’ is rarely
written into employment contracts, and it is normally not possible to access
peoples’ home computers without a court order. This is the case even when the
employee is in possession of company data.
Martin Baldock is general manager of Stroz Friedberg’s
UK offices in London and Leeds