Did you know that a third of ex-employees access company data from their previous employer? This is a worrying stat for UK businesses as GDPR regulations loom, coming into play in less than a year. 24% of UK businesses have suffered data breaches caused by former employees.
Under GDPR (which comes into effect in May 2018), companies failing to adequately protect customer data can be fined up to 4% of their annual global revenue.
With this in mind, are you being thorough enough when employees leave your business to ensure their access to sensitive data is completely deprovisioned? Are you using the right technology solutions to ensure that current employees are not holding business data on their own devices, which will remain after their employment with you ends?
Employee Offboarding – More than just a Tick-Box Exercise
What happens when an employee leaves your business? Is it someone’s job to manually go through your IT systems and de-provision that employee’s access to the various systems you use?
If the answer to the above is yes, then you’re like 92% of other businesses who don’t automate this process. Unfortunately, this makes the process of removing ex-employee access to business data open to human error and forgetfulness.
Ensuring employee access to systems and data is deprovisioned 100% of the time, in a timely manner, is vital to protect your business. If data held by your company gets into the public domain, you could be fined and forced to tell the public that you’ve had a data breach.
There are three ways that employees can put data at risk
Are your employees syncing work related data with their own personal devices, at home or mobile, using non-enterprise solutions like Dropbox or Google Drive? Do they take data home on USB devices? Employees may not know this is a risk to data security, and they could be doing so purely in order to work remotely. You can ensure this doesn’t turn into a problem by using the correct encryption solutions for data, restricting employee abilties to install their own file sync solutions (e.g. DropBox) at work, and using a business grade file sync system that support remote wiping of data on mobile devices.
Stories of employees leaving laptops on trains, or losing a USB memory stick full of sensitive data are common. In these cases, we don’t believe the employees are at fault, because the technology is not up to the standard to keep data safe. Businesses can ensure this doesn’t happen by using the right technology. You should be able to remotely wipe portable devices, and any data on a lost laptop or hard drive should be impossible to read due to encryption. There is no need to store data on a physical device that you carry around with you in today’s world of high internet speeds and and redunandant in a world where you can access business data remotely without having to save it to a device. You should not be using USB devices to store data, and you can prevent these from working when plugged in by an employee.
This is harder to protect yourself against if you’ve forgotten to de-provision an ex-employee’s access to company systems and data, and they left under less than ideal circumstances.
As soon as an employee leaves, processes should begin to remove that individual’s access rights. However, if this is forgotten or incomplete, there are systems that can catch unusual activity such as an individual logging on at 10pm, when they’ve previously only ever logged on between 8am and 6pm. These systems monitor all of your logs to spot unusual activity and can block access in seconds. This is known as SIEM (Security Information and Event Management) and it can keep your business protected in a variety of scenarios.
In many of these scenarios, nobody would notice if an ex-employee was still logging in, or logging in at unusual times. Many businesses would also be unaware that their sensitive data was being synced to an unsecure, non-company device. SIEM can spot these anomalies and notify you immediately, or lock down access until it can be verified.