Every time an employee leaves your business, it places your Intellectual Property (IP) and Critical Data at risk.
Intellectual Property refers to your patents, trade secrets, copyright, trademarks and new concepts or ideas. Whereas, Critical Data applies to any function that attributes to the running of your business, including; business plans, sales/customer information (impacted by GDPR), rate plans, financial data such as; revenue, profits, stock price.
This post will focus on the importance of protecting Personally identifiable information (PII) that is often listed in customer databases and stolen by departing employees. With new GDPR laws, companies have to report breached data to the supervisory authority within 72 hours. And if the security breach is likely to result in a high privacy risk for an individual, the individual will also need to be informed of the breach.
Thus, there has never been a more critical time to protect your data walking out of the door by your departing staff member or disgruntled employee, a failure to protect will result in untold financial and brand damage that may be difficult to recover from.
Here are some tips on what your business needs to consider.
At the outset of your business’s relationship with a staff member, it is important to have the minimum in place:
- Understand where your critical data lies and who has access to such data.
- If your customers or staff members reside in Europe, a Data Protection Impact Assessment (DPIA) will help you to comply with GDPR regulations.
- Build an accountable culture with data and cybersecurity awareness training.
- Identify if you need to employ a Data Protection Officer , you can reduce costs by using an outsourced DPO provider.
Your Legal Agreement:
- Ensure employment contracts have strong confidentiality clauses that clearly define what is confidential to the business.
- Update employment contracts to cover your right to monitor and use certain employee data, employees with access to critical data should have added layers of monitoring attached to their job role.
- Ensure there are clear policies in place on the use of corporate email accounts limiting the right to use these accounts for 3rd parties services and social media sites.
Your Technical Ability:
- Implement monitoring tools that track the movement of critical data such as; files emailed to personal email accounts, excessive printing of confidential documents, copying of files containing strings such as bank codes, dates of birth.
- Encrypt critical files to ensure authorised access only, with the ability to remotely remove access rights should an employee leave or exhibit disturbing behaviour.
- Monitor compromised emails and passcodes that have been exposed to the dark web.
- Implement an exit policy to close old accounts, remove access levels and close down redundant web pages.
Your HR Processes:
- Include a detailed confidentiality clause in employment contracts and ensure staff members understand their obligations before signing the agreement.
- Implement a data security onboarding process that covers the use and restrictions of managing data and staff members obligations to security.
- Manage poor performance, weak leadership and disgruntled staff members as revenge, greed and bitterness are the main factors that motivate people to commit theft and destroy data.
- Apply a process that manages high-risk staff members, including changing access levels due to changes in job role and restricting access levels for departing employees.
- Implement exit interviews to continuously improve the way you manage departing staff members for continuous improvements in security.
- When a staff member is terminated, redundant or resigns, instrument a process that ensures critical data is returned back to the company.
Should a data breach occur?
- Follow the breach of the Data Protection Act (DPA);
- Setup an investigation team, this may include a mix of in-house and outsource provides and will typically include: CEO, Board, DPO, forensic investigator, legal, security, public relations and HR to manage the data breach.
This is not a holistic list, however, for a small to medium business who have limited access to security experts, it highlights some of the basic security processes that will help protect your critical data.
Harrman Cyber operates with a conglomerate of data and security experts who provide cost-effective advice, solutions and outsourced expertise to help small to medium business protect their critical assets from a data breach.
Tanya Harris, CEO, Harrman Cyber and Cyber Security for SME’s