How to Ensure Your Data Doesn’t Move on When Your Employees Do
In today’s fast-moving world, highly skilled professionals are constantly looking for more attractive opportunities that will move their careers forward and, as a consequence, companies struggle to retain employees in the long term. Staying in one job for one’s entire life is no longer the primary objective and changing jobs every three to five years is encouraged by every career counselor. According to consulting firm Hay Group, the average employee turnover rate in North America, across all industries, is expected to reach 23% by this year.
What does this mean in the context of data security? In a survey conducted by Biscom, 1 in 4 respondents said they take data with them when they leave a company, 85% of them feeling it is not wrong to take with them materials they themselves helped create. Many of those surveyed admitted that appropriating company data was possible due to companies’ inability to enforce their data protection policies. The predominant reason they gave for doing it was that they felt it might be of use to them in their new place of employment.
How easily data can be misappropriated
The type of data everyday employees have access to, and therefore can take when they leave, ranges from contact information such as email lists and telephone numbers to more potentially damaging data such as financial records, trade secrets or intellectual property.
The channels through which data is taken can be categorized into portable devices, online sharing services and the classic email. When it comes to portable devices, USBs are the most frequent offender: inconspicuous, easy to smuggle in and out of the office, ever larger in space, they are a straightforward solution for taking data out of a company network even when it is not connected to the internet.
The internet of course has opened the door to new possibilities for data theft. With a multitude of file sharing websites and online cloud services available for free, employees can upload gigabytes of data without leaving any physical trace. Files can also be transferred through messaging services such as Facebook Messenger and Skype. Lastly, important files can be sent via email from company addresses to third parties or forwarded to personal email addresses.
What companies can do to ensure data security
While most companies will have confidentiality clauses in employee contracts, these are not specifically used to protect data from employee misappropriation, but to prevent it from being shared with third parties. As already discussed, employees preparing to leave often take data because they feel they have partial ownership over it and because they know they can take it without being held accountable for it.
Some companies choose to terminate employee access to company data as soon as they are informed of their impending departure or decide to let them go. While this might be effective in the case of employees being dismissed, those that hand in their resignation might have already taken any data they considered valuable before making the announcement. There is also the matter of notice periods to consider. Whether an employee is leaving or being let go, notice periods can last from anything between two weeks to three months or more, during which the employee is still expected to perform his or her duties and arrange a handover.
The easiest way for companies to deal with internal data theft is by putting technology controls in place. Data Loss Prevention solutions such as Endpoint Protector offer detailed control over sensitive data leaving the network and endpoints. All transfers of data predefined as sensitive can be logged, reported or blocked. Policies can be tightened in case of departing employees and remote scans of data on computers can be executed to find any sensitive data that might be present on unauthorized computers and delete it or encrypt it where it is found.
Enforced USB encryption on the other hand can ensure that any data transferred to USBs is logged and automatically encrypted. Admins also have the possibility to reset the password to prevent those that copied the files from accessing them.
Tightening company policies can also be an effective tool to curb departing employees’ temptation to take data with them when they leave. However, data loss prevention tools are a more efficient control method that relies not on an employee’s willingness to follow the rules but on setting boundaries to how sensitive data can be handled and by whom.