Employees leave businesses for a multitude of reasons, from leaving to start their own businesses to leveraging a new opportunity, to moving to a new city or country. There are also less amicable ‘breakups’, such as when an employee is dismissed following a breach of contract or disciplinary action.
In the latter cases, employers are quick to try and limit an employee’s access to valuable client and company data, but is it always enough? And are employees who have been dismissed for cause the only people who will try and take data with them when they leave? When an organisation parts with an employee, whether it’s on friendly terms or not, how can you ensure that they won’t be holding on to data? Afterall, transferring files onto a flash drive, into cloud storage or simply emailing documents to a different email address are simple and effective ways of taking a large amount of data – often in seconds.
Understanding digital separation policies
There is a term for unauthorised data leaving an organisation and it’s called data exfiltration. When we hear this term, most of us immediately think of cybercriminals breaching a system and stealing data, either to hold it ransom or to sell the data and personal information of clients themselves. The reality is that data exfiltration doesn’t only originate from outside an organisation, however. Employees (and former employees) can be responsible, which is why a digital separation policy is so important when an employee leaves.
A digital separation policy allows an organisation to act quickly when an employee resigns or is dismissed, act appropriately (simply taking someone’s laptop back is no longer enough), and act legally in accordance with labour laws and the Protection of Personal Information Act (POPIA). Having a plan in place also helps organisations avoid being put in a position where they need to react quickly to situations to avoid a data breach, which is when most mistakes happen. Clear procedures ensure a separation can be accomplished quickly and smoothly with minimal risk of a leak of sensitive information.
Employees and data
There are many reasons why employees take data with them when they leave. The first is probably the most obvious: data is extremely valuable, and the right data and client contact information might give a person an advantage in their new job. This is particularly common if a person has a customer facing role in sales. It will take a full data breach investigation to prove that a customer has been poached using stolen information, which is why it’s better to protect that information in the first place. There are also POPIA implications, as a person consents to a business holding their data – but not for that data to be shared with different companies.
Some employees take data by accident simply because they don’t delete the data they have on their devices or in cloud accounts. And others have more nefarious intentions – particularly if they have not parted ways with an organisation amicably. We have seen former employees use data to set up fake social media accounts and contact customers through fake emails with the explicit objective of ruining an organisation’s reputation, for example.
Putting a digital separation policy in place
A digital separation policy requires input from a number of departments. It is not only IT’s role to create and implement. Instead, you should receive input from:
The legal department: It is the legal department’s duty to ensure that the policy is in employee contracts to make it clear at both induction and termination that staff have a legal duty to keep the organisation’s data confidential. This is particularly relevant since POPIA came into full force in July 2021.
The HR department: It is HR’s role to ensure that access to physical premises is cancelled as soon as possible.
The IT department: IT is in control of access control, multi-factor authentication and passwords. It’s therefore up to IT to terminate access to company resources and networks. However, this no longer simply means server and email access – collaboration tools, intranets, social media accounts, and third-party software access are all components of virtual work. Many organisations operate across multiple channels and different departments, leveraging different tools. It’s therefore critical to ensure that all access has been terminated. It’s also not enough to remove laptops and other company devices. Particularly since the pandemic, employees work on their personal devices as well, which means your data could be anywhere. If employees are permitted to use their own devices or access company mail on their own devices, the IT policy should give employers the right to inspect and delete data from personal devices as well.
The role of a digital forensics partner: Digital forensics partners offer three key advantages with regards to digital separation policies. The first is that digital forensics experts, such as Cyanre, can digitally trace whether an employee still has access to systems and networks. For example, we’ve seen a disgruntled employee wait six months before accessing a back door into a system. The second is that we can trace data and whether an employee has exfiltrated data, as well as which files were accessed or emails sent prior to their leaving. This becomes particularly important for an Anton Pillar order, which provides the right to seize evidence without prior warning, preventing the destruction of relevant evidence. Anton Pillar orders are only issued when there is a reasonable case that an employee – or ex-employee – has exfiltrated data. The third is to assist with ensuring that all data is backed up and stored appropriately. Digital separation policies should not only focus on separating employees from data. They should also seek to preserve data in case it is required later. You never know when an email from ten years ago will become relevant. In the case of exco or key members of the business, it’s also a good idea to keep forensically sound copies of devices and data so that no claims of the data being tampered with can be made later.
Protecting your organisation’s data
Businesses and employees have been parting ways for hundreds of years. The importance of data and the regulations governing it, however, have changed the game when it comes to ensuring employees no longer have access to sensitive, personal or proprietary information when they leave. The key thing is to recognise this is an issue, put the right policies in place, and work with the right partners to ensure your organisation is protected. Failure to do so could prove costly, both financially and reputationally.