The most common scenario risk of human-based data loss is when employees leave an organization, either willingly or unwillingly. And that is cause for concern for an IT manager or system administrator.
According to Osterman Research, the median job tenure for US employees is a little more than four years, and a typical organization will experience approximately 24% turnover in their workforce every year. And any of those leaving could take data with them when they leave.
The risks from departing employees causing data loss are stark.
- Costs: The average loss incident costs an enterprise more than $900,000, according to recent Vanson Bourne research.
- Time: Not only can data loss hinder an organization from meeting its goals, the time it takes to recover will have a negative impact on business continuity.
- Legal risk: Data loss can cause a company to be out of regulatory compliance – for example, if the data includes Protected Health Information (PHI) or Personally Identifiable Information (PII). Exfiltrated data and data deletions may make it difficult to comply with litigation holds and legal eDiscovery.
- Reputation risk: Your reputation with partners and customers is in jeopardy after data loss, compounding your legal and business risks.
Even worse, Osterman reports over one in five organizations have no way to recover data that had been under the control of employees when those employees leave.
Five Steps to Reduce Your Risk
The two facets of reducing data loss caused by departing employees are prevention and recovery. Prevention of data loss requires an organization establish policies and procedures to systematically reduce data exfiltration and loss. At a high level, this means your organization should:
- Ensure your organization has policies in place that clearly state organization data is the property of your organization, and the data may not be taken. According to CSO Online research, 84% of employees thought there were no policies that prevented them from taking organization information. Comprehensive policies should be developed with your organization’s Legal and HR teams, and may need to specify that all information, documents, and data created by any employee are property of the organization.
- Make sure employee hiring processes and documents incorporate data ownership and data handling policies. Offer letters and other onboarding forms should contain specific language related to data ownership and data handling policies, as should employee handbooks. This will help each employee understand that all information created while at the organization is to be regarded as proprietary and confidential, even before they start.
- Limit access based on roles and need to know. A key element in data loss prevention is establishing policies to limit employee access and control to sensitive and confidential data by their role, function, and need to know.
- Ensure there are processes in place at offboarding to retain control of organizational data. These processes should include obtaining custody of physical items containing an organization’s data and access to an organization’s systems, and having a departing employee sign off that they have returned all corporate data assets.
- Ensure proper backups are in place, and restores have been tested. With granular, point-in-time backups that can be quickly restored to a departing employee’s manager’s control, managers can easily access their departing employees’ content archives and further ensure data security.
Backup is One Thing — Restore is Everything
Recovery in the event of data loss requires a combination of archival approaches and backup-and-restore approaches. Since data loss can’t be 100% prevented, it’s imperative it can be recovered from quickly. This means your organization should:
- Archive vital content. Email archiving, and the archiving of other data types such as files, social media content, and SMS messages, will provide a legal record should a departing employee attempt to delete important data.
- Plan for, and test, rapid restoration. Given the proliferation of SaaS applications such as Office 365, G Suite, and Salesforce in many organizations, an employee could wreak havoc by deleting a shared folder or customer records. It’s important to backup all application data, and then test the restore process.
Employees will inevitably delete the wrong email, contacts, or critical configurations. Learn more about the risks to your SaaS data.
*** This is a Security Bloggers Network syndicated blog from Spanning authored by Lori Witzel. Read the original post at: https://spanning.com/blog/steps-to-take-now-to-reduce-data-loss-risk-when-employees-leave/