When Employees Leave, Make Sure They're Gone

Employee departures, voluntary or otherwise, are a fact of business life. In our digital, networked, connected age, they're a fact of e-business security, too. Used to be, not all that long ago, that when an employee gave notice, you'd work out a departure date, arrange to collect keys, ID cards, final expense reports, and various other materials. Maybe you'd do an exit interview, maybe not; same for a goodbye party. In the case of terminated employees you'd accelerate the process, collecting all relevant materials immediately, escorting the employee from the premises, goodbye party not likely. What a difference a digital revolution makes! Today, an employee resignation -- or layoff -- raises countless questions of company, customer, and co-worker network, computer, and information security. Termination-for-cause raises those same questions, in spades. And if the departing employee -- whatever the reason for the departure -- was involved directly in your company's IT management or operations, the issues and potential threats grow exponentially. While we all want to believe that our employees, colleagues, and co-workers are as honest and trustworthy as we are, we all also have to face facts. Even as organized crime makes larger and larger inroads into cybercrime, the insider -- and former insider -- threat to your data and network security remains immense. A moment's thought will give you a good sense of what you're up against should your company be insufficiently insulated against disgruntled or criminally motivated former employees:

• Still-active passwords and network access
• Stolen -- or unrecovered -- customer information and e-mailing lists
• Backdoors that allow illicit entry into the network
• Logic bombs and other sabotage-ware planted before departure

Any one of these can be enough to wreak havoc on your business, and your customers' confidence in your business security. While there's no 100% foolproof solution to preventing a former employee from taking digital revenge, there are a number of solid security, management, and just plain commonsense tools and policies you can put in place to reduce your risk. 1. Make policy. One key is a solid, detailed, signed, and enforced security policy. Clearly, an employee bent on stealing data or sabotaging your operations isn't likely to be deterred by signing a policy form, but the form a) sends a message throughout the company that you're serious about security policy and b) can help deter an "on the edge of temptation" employee. 2. Know who knows, and know what they know. Equally important is centralizing not only password and network access management, but also keeping a constant and constantly updated inventory of who has access to what. In addition to minimizing unauthorized and unnecessary access to critical, confidential, and private information, you'll also have a good idea of which employees with access could have made copies of that material. This can be important in the case of terminations. 3. Pink slips can equal data slips. If you're planning a termination for cause, keep it to yourself and the very fewest number of employees and co-workers possible. Any advance warning gives the soon-to-be-gone employee the chance to plant the seeds of a cybertheft or act of sabotage. In the same "No, d'uh" department, should a larger or company-wide layoff be looming, keep it quiet. Odds are your employees already will be passing scuttlebutt based on business conditions and general company demeanor. Don't heighten their anxieties by signaling the cutbacks in advance. Employees who know their jobs are a goner may be tempted to take your data security with them.

4. Cut access immediately. Or sooner. When the termination or layoff arrives, make sure it arrives after you or your system administrator have canceled relevant passwords, access codes, etc. 5. Remote control. Telecommuters, mobile, and remote employees pose special layoff/termination concerns, just as every other aspect of their performance and operational management does. Terminations-for-cause should, obviously, be done in person (if possible on site, rather than summoning them to the home office with their equipment: That's a signal you don't want to send.) But the same care should be taken with not-their-fault layoffs -- employees who have just been let go but still have access to their notebooks and other equipment can acquire copies of resident data even if their network access has been shut down. 6. Do an audit afterward. The minute to begin an in-depth and ongoing data and network security and access audit is the minute you begin to plan the termination or layoffs. Word does leak out, people do get wind of bad news in the offing. Your IT staff -- or an outside service -- should begin monitoring the entire infrastructure for any indication of unusual, suspect, or outright malicious behavior, copying, deleting, or code-planting. And you should keep an eye out for some time after the departures. (You actually should be watching this all the time, as you undoubtedly know.) 7. Watch for bad word-of-mouth. The Internet provides disgruntled former employees enormous opportunity to spread the bad word about you and your company. Blogs, MySpace, YouTube, e-mailings, and countless other venues can be used to send bad -- and in some cases actionable -- messages about you and your company. Keep your ear to the electronic ground. Clearly, this is a far from inclusive list -- that personal thumb drive on your employee's keychain might or might not hold company data as the worker drives away for the last time. It's worth undertaking a thorough digital "exit-plan" with your IT manager and staff, considering every possible threat and planning their counteraction. Should your IT manager or high-level tech staff be the terminated party, you have a whole new and even larger can of worms to deal with, which we will explore in an upcoming column. Just as clearly, most of the matters sketched here should be approached with equal seriousness with your human resources staff and legal counsel. That last can prove vitally important if there is the potential for prosecution of the former employee, whether for alleged criminal activity or potentially libelous or slanderous comments made online after termination. Most employees, of course, aren't threats, and most of them will depart without taking harmful action against your networks or your company. But you're not planning and deploying your defenses for most employees -- just for the ones who can come back to haunt you after they're gone. Keith Ferrell is the author of a dozen books and countless magazine and newspaper articles. The editor of OMNI Magazine from 1990-1996, he also is a frequent speaker to corporate and institutional audiences.