Employers should identify digital assets used by remote employees and establish procedures for disabling access and ensuring their return.
Many people have trouble thinking about the “endgame” at the beginning of a relationship. However, things can (and do) turn sour, particularly in an employment relationship. It’s important for employers to consider the possibility of an intentional or inadvertent security breach at any phase of an employee’s relationship with the organization.
This is especially true in these challenging times. Organizations have been compelled to implement work-from-home strategies virtually overnight to accommodate pandemic-related social distancing measures. Providing employees with remote access to IT resources increases the risk of insider threats. Some organizations have also issued laptops and other equipment for employees to take home. Without careful management, this equipment may become lost or otherwise unaccounted for.
The economic downturn associated with the pandemic creates another set of challenges. Even if layoffs can be avoided, low morale and pay cuts can increase the risk that a disgruntled or inadequately trained employee could pose a security threat.
Minimizing these risks starts with the development of policies and procedures for revoking IT access and retrieving any assets used by remote employees. The steps should be well-documented and communicated to all departments involved in the process. This preemptive approach helps ensure that all boxes are checked whether an employee’s departure is friendly or acrimonious.
Who, What, Where
The first step is to track what digital assets are or have been under the control of each individual in order to ensure that access is terminated. Most large organizations have formal processes for granting and terminating access credentials, but many small to midsize organizations do not. Furthermore, smaller organizations often require functional overlap that makes it more difficult to prevent unauthorized access.
It’s not just a matter of terminating an employee’s network access and email account. You have to consider every credential that employee might have been privy to. For example, the accounts receivable clerk might have been tasked with ensuring that backups ran properly each night, and as a result have administrator credentials for your primary accounting server. You don’t want to think that this individual might log in from home and wreak havoc with your accounting data, but it could happen.
More critical — and potentially difficult — is identifying which digital assets are or have been in the possession of each individual in order to ensure that these assets are properly returned. This extends beyond company-issued equipment to sensitive data. Did an employee email copies of customer lists to her home account? Did she log into the network remotely and download important files?
These activities happen frequently, particularly given the proliferation of mobile devices. Most of the time, the motives are innocent, even noble — a dedicated worker trying to get work done. But innocent or not, these activities pose a security risk.
Security breaches caused by distracted or disgruntled employees are a common cause of information security failures in these challenging times. While people are an organization’s greatest asset, they are also its weakest link, particularly when increased stress levels and job insecurity may lead employees to behave in atypical ways.
To minimize these risks, you should only allow employees to access the systems, applications and data they need to perform their jobs. Data should be kept within the company firewall if at all possible. You should also consider data loss prevention tools, which automatically track sensitive data, control how it’s accessed and transmitted, and enforce encryption where appropriate.
Some organizations require employees to agree that their home computers are fair game for monitoring at any time during employment and for a limited number of days post-employment. Such monitoring can be lawful, but policies must be carefully crafted. It may be appropriate to engage an attorney to ensure that policies designed to protect digital assets don’t create the risk of litigation for invasion of privacy.
It may not be pleasant to think about an employee’s termination when you’re preparing his new-hire paperwork. However, that’s an essential consideration given the rise of work-from-home strategies and other changes in operational processes. Employers must establish processes to protect digital assets throughout the employment lifecycle and ensure their return when the relationship ends.