How to Make Sure Company Secrets Stay When Employees Move On
Does your data stay put when your employees move on? Maybe not. Nearly 60 percent of employees steal company information when they leave or are fired, with 67 percent of them taking it to a new job, according to a study by Traverse City, Mich.- based privacy and data protection research firm the Ponemon Institute. Yet only 15 percent of respondents' employers performed any sort of review of the digital or paper documents employees were taking.
You, however, should take more protective measures. Well before employees leave, you should have a plan for how you're going to protect the data, says Larry Ponemon, chairman and founder of Ponemon Institute. That includes extra measures for dreaded scenarios such as the departure of a disgruntled senior manager or IT administrator.
Here's a guide to preventing data from walking out the door with departing employees:
Know your people and keep them happy.
Get to know your employees and determine who may pose more of a risk, whether because they have their fingers on your crown jewels or because they seem unhappy or volatile. Be suspect of new employees who offer to deliver customer lists or other secrets from their previous employer. You could get the same treatment when they move on again, Ponemon warns.
And cultivate a happy work environment. Content employees tend to be more loyal, while the disgruntled have fewer qualms about taking things. The Ponemon study found that 61 percent of respondents who were negative about their company stole data, while 26 percent with favorable views did so.
Spell out rules of acceptable and unacceptable use of company information and create a culture of confidentiality. When crafting policies, begin by asking yourself: "What is valuable to your organization?" says Carrie Gates, an engineer at Islandia, N.Y.-based CA Labs. For example, a jewelry company concerned about its designs might want to prohibit employees from transferring design documents to personal email or Dropbox accounts. To boost compliance, explain the reasons for your rules, emphasizing the company's data-control needs rather than communicating distrust of your workers, she says.
Have employees sign an agreement that affirms their understanding of the rules and the need to keep company secrets confidential. You might consider having employees in particularly sensitive roles sign separate confidentiality and non-compete agreements, says Teresa M. Thompson, an employment attorney at Fredrikson & Byron in Minneapolis. Such agreements can set a tone of seriousness that can prevent misbehavior and strengthen your legal hand in trying to compel a pickpocket to return what he or she took.
"Smaller companies … could go under if they don't take an aggressive position," Thompson says. If companies in competitive fields don't take precautions, "they're just open game for people to come and pluck their information and their people."
Put technology controls in place.
Protect your sensitive data with technology controls that limit access. Salespeople, for example, shouldn't have access to design blueprints. Use tools such as Active Directory from Microsoft or more advanced identity-management software available from Microsoft and many others.
You also may want to protect sensitive data itself. Microsoft provides tools for protecting documents with passwords, encrypting files and folders, and designating who may access a file. Also consider WatchDox, which offers higher-end controls for documents on computers and mobile devices (prices vary). Installing software on laptops and smartphones can allow you to wipe their contents remotely.
Another option is data loss prevention (DLP) technology, which can detect and stop data from slipping through exit points, such as email, instant messaging, thumb drives, file-sharing services, printers and malware. BeyondTrust offers such a product called PowerBroker DLP that's available to companies of all sizes ($80 per user per year). Zscaler offers a cloud-based DLP service that can help protect data on your network, in other cloud services and in mobile devices ($1 to $5 per user per month).
Monitor key employees before they depart.
If you're in a risky situation with an employee -- you think a salesman is interviewing with a competitor or a top designer has given notice, for instance -- consider tracking that person's digital activities. Software from SpectorSoft, for example, can record everything that occurs on company devices and provide reports about suspect activity, including data uploads and downloads. It starts at $99 for one basic license.
Terminate access quickly.
Move fast to cut off departing employees' access to the company network, applications, email accounts and physical files. If such workers used your company Twitter or Facebook pages, change the passwords. Ask yourself what other cloud-service accounts you might need to secure. Backupify can help you remove data from Google Apps ($3 per user per month) when employees leave.
People you fire or lay off should be escorted out and watched to make sure they don't take anything that doesn't belong to them, including mobile devices and thumb drives. Review email and other activity during an exit interview or, if you're really concerned, hire a forensic expert to investigate.
Related: 7 Tips for Upgrading IT Security