Ransomware and hacking attacks may be what makes the media headlines. In the real world, however, most data theft is probably the digital equivalent of pick pocketing. It can be done by your own employees, particularly departing employees. They may not even think of it as theft, but that is what it is and as such you need to stop it. Here are some tips to help.
Have effective data management policies in place
You are legally required to know what sensitive data you have. You should also know why you have it, where it is stored, who has access to it and why they have access to it. As a minimum, you should be extending this level of organization and supervision to any data you consider to be important, e.g. confidential. Ideally, it should be applied to all data.
Getting this right is a double win.
Firstly, you can only protect what you have if you know what you have and where it is.
Secondly, you avoid employees feeling the need to have their own copy of important data so they know for sure they can find it if they need it again.
Make sure access controls are actively managed
Access controls should be regularly reviewed even when employees stay in the same post for an extended period. The nature of a job can change over time, even if a person’s job title stays the same.
They should certainly be reviewed when an employee changes their post. They must be revoked immediately when a colleague leaves. Immediately means the moment they walk out the door for the last time.
Keep installation privileges for IT staff
Anything an employee needs to do their job should be provided to them by the company. This includes software, which should be controlled centrally by the IT department.
Block USB and CD/DVD drives and personal cloud drives
Letting employees use their own storage media in business computers is just asking for trouble. Block your USB and CD/DVD drives. If an employee legitimately needs access to these drives, then organize this on a case-by-case basis with appropriate safeguards and supervision. Likewise, block access to personal cloud drives. Employees can access them on their phones.
Monitor your printers
As the old saying goes, “there’s no use locking your door if you leave your window open.”. There’s no use implementing great digital security if you let employees print out whatever they like. You don’t have to check every sheet of paper. Just make sure that usage is in line with their job requirements.
Organize an exit interview as soon as an employee resigns.
Use the exit interview to set clear expectations of what is expected from the employee during their last month. Explicitly tell them that data theft is theft and can be pursued as such. Make sure they understand that any future employer is unlikely to be pleased to find out that work for them was undertaken using data stolen from another company. Then have them sign a document to confirm that they have understood all this. In short, take away any excuses for stealing data.
- How to protect your business when an employee leaves - 22/10/2020