Even under the best of employer circumstances — trustworthy staff that a business hopes to hold onto forever — employee behavior remains the single greatest risk factor to data security. Without training and vigilance, even well-meaning employees can accidentally click on phishing emails, or negate access and encryption protections by entering their credentials and then leaving devices unattended.
Given the severe harm that an honest employee can inflict without meaning to, now imagine what an employee with bad intentions could do — especially a disgruntled, terminated employee who only needs a few moments to steal data and cause his or her former company a world of trouble.
The threats of employees or ex-employees intentionally leaking or stealing data is an issue that reaches across industries and organizations. Even the White House has issues with it; leak investigations have tripled during the current administration.
When employees go rogue
One tale told by a fellow data security MSP is particularly illustrative. A national medical appliance reseller with a large distributed sales team supplied its salespeople with laptops and mobile devices able to access a highly sensitive and confidential client list. A past employee had actually stolen this data to found a competing business, causing the company to very carefully audit and limit list access in the aftermath.
Given the severe harm an honest employee can inflict without meaning to, imagine what an employee with bad intentions could do @SmarterMSP
It happened that a certain salesperson needed to be let go, but when the company called her to deliver the bad news and asked her to send the company laptop back, she refused. Unfortunately, this company had proceeded with the termination without consulting with their MSP ahead of time. They did get in touch immediately once the employee had gone rogue, and the MSP’s device security management tools quickly determined that the ex-employee was currently copying client list files to a USB drive. The MSP remotely stopped that file transfer and deleted the critical files, but the employee responded by taking the laptop offline. From there it was a police matter — and one that could have been avoided entirely if the MSP had only been consulted ahead of time.
Providing effective capabilities and a close, active relationship to curtail the threat of malicious acts by terminated employees can serve as a competitive differentiator that distinguishes an MSP. This is especially true where data security stakes are high or regulatory compliance is a factor. MSPs can, in fact, fully address this threat by providing appropriate tools.
First of all, employees must be made aware (officially so) of data handling rules and the consequences of breaking them, even after termination. This can be managed using tools such as Breach Secure Now!, which we use to provide the appropriate training in data security best practices that all employees require in order to be good custodians of data.
Tools like this will instruct, test, and certify employees on avoiding social engineering attacks, properly safeguarding their devices, and other essential (and current) security practices they might not be aware of. More than that, it also delineates the company’s policies regarding access controls and BYOD devices, as well as behaviors that can lead to termination and what happens after (and ensures that employees have in fact understood and agreed to follow these policies).
The ability to easily manage and communicate ironclad rules — while making certain their consequences are clear — serves as an effective deterrent for those employees and ex-employees who might otherwise take advantage of any grey areas.
Tools that help
To stop those terminated employees ready to purposely break the rules, MSPs also need tools that can eliminate their ability to do harm before it ever becomes a possibility. For instance, we use Beachhead Solutions’ SimplySecure to allow us to encrypt and remotely manage access to our clients’ data from employee-used desktops, laptops, tablets and phone devices, including — importantly — BYOD devices.
When an employee is terminated, MSPs will want to block all access and delete all company data from devices controlled by that individual. An MSP can even time this action to just before the termination occurs, so that there is no window for an upset ex-employee to do something they’d regret. In the example of the salesperson, if given a proper heads up the company’s MSP could have even enforced encryption and authentication on the company data transferred to a USB drive, thus rendering it secure and useless to the terminated employee. Similarly, MSPs can make use of Active Directory to assemble an effective package for managing rights-based data access privileges.
Many data security-savvy MSPs, many of which are already involved in protecting their clients against actions their current employees might take, really need to go a step further and realize the business benefits of offering clients complete protection through the end of the employee-company relationships they oversee.