When you employ a new member of staff, there is a big focus on ensuring they have all the correct equipment such as company mobile, laptop and access to company data so they can work efficiently, but it appears that there is a lot less emphasis on data protection implications when an employee leaves.
Unfortunately, if a disgruntled employee wants to steal company data, they are most likely going to do this before you even know they are thinking of leaving, however you can put measures in place to lower the risk.
With this in mind, it is extremely important for a business to have a separate process in place, dedicated to the departure of a member of staff, aimed at protecting the business.
Here are a few examples of how you can protect company data…
Contracts:
Have added protection. Post termination restrictive covenants are contractual clauses which may be contained within a contract of employment. Restrictive covenants often restrict the employee’s right to conduct activities in competition with you after the employment relationship has ended.
Email:
Whether an employee chooses to leave on their own or is asked to leave, best practice is to make their email account available to their Manager and forward all incoming emails to that person as well. At the very least you should monitor their activity for anything unusual such as transferring emails from their work account to a personal email.
Company systems & programmes:
Make sure that you have a full inventory of an employee’s access to various applications such as cloud and internal shared files and when they do leave it ensures that you are fully aware of what systems and programmes you need to deactivate.
As soon as you can, remove an employee’s access to systems and programmes as this could be potentially damaging. If an employee was looking to damage the business or steal clients, removing their access would lower the risks.
There may be times when you need to give employees administrator access so that they can customize applications or systems, this allows the employee to install applications or save files to cloud storage devices which have not been approved. If you are aware for your employee is leaving and they are an administrator, remove this access immediately, preventing any destruction to company data.
Company property:
Ensure you retrieve all company equipment on their last day, this can be mobile phones, laptops and tablets.
Personal Devices:
Some organisations allows employees to use their own devices for business activities and when they leave, they are still in possession of these devices which may have access to company data through shared files, emails, client details. Therefore, you must ensure that these devices are wiped of any business data.
Data Protection:
Strategies to protect electronic data should be proactive and you should consider limiting access to those individuals or departments who are required to use it on a regular basis. Further protection can be provided by periodically changing passwords to sensitive files, limiting the number of users.
If an employee has office keys/swipe cards, ensure these are disabled on their last day, restricting them access on departure, they may not have access to systems but could easily enter your building and look to steal equipment/manual files etc.
After an employee has departed
It is common when an employee has been asked to leave and has decided to access or retrieve data, they will usually do it within hours or days of departing. You should formulate a plan to monitor any attempts by them to access the network, files, emails or other data after they have gone for a specific period of time.
