Protecting Your Network from a Terminated Employee

When’s the best time to start protecting your network from a terminated employee? Before you hire the employee.

In the days of paper-based records and information, it was possible to simply escort former employees out of the office, assuring that they took only personal effects with them. Today, with electronic information and paperless offices, it’s much harder to determine if a terminated employee is removing valuable company information, or has retained access to your system.

Data stored in electronic form are extremely portable, and therefore highly vulnerable to unauthorized access, dissemination, and retention. Network data security must be designed and implemented to assure ongoing protection from those with malicious intent while providing unproblematic access by authorized users.

Remote Access

Take remote access, for example. It is critical to the smooth operation of many businesses as not all work occurs nine-to-five, and not all meetings take place in one room—or even one continent. But it creates vulnerability: An ex-employee could rummage through your network from afar, unless you’ve disconnected and disabled his remote access.

Personal Devices

The use of company-owned vs. employee-owned smartphones (i.e., BlackBerry, iPhone, Droid) poses similar considerations. For reasons of budget and convenience, some companies allow an employee to carry a single PDA rather than separate personal and business devices. But questions arise when a company wants to completely wipe out the contents of an employee-owned device (which may include both corporate and personal information) upon employee termination. Consult your IT department regarding the ability to selectively erase data from a PDA, your attorney about your rights when selectivity is not an option, and your CEO about the risks of leaving confidential data (including company email and clients’ contact information) on an ex-employee’s handheld device.

Passwords

Passwords constitute another security risk. Make sure that each employee has a unique user ID along with a confidential password that’s not shared with anyone else. In companies where passwords are routinely shared among employees, it’s easy for a former employee to access the network using someone else’s credentials. Hold employees responsible for anything done with their user ID and password, even if it’s done by someone else. Treat login information like an ATM password—keep it secret. 

Before hiring your next employee:

• Establish and communicate a company security policy describing each employee’s responsibility for network and data security. Include guidelines for password confidentiality, use of PDAs (possibly including wiping rights), limitations for on-site data access, and restrictions regarding off-site data usage and storage.
• Develop an acceptable use policy that defines what employees may and may not do with the company’s network and data.
• Create termination procedures that cover what needs to be done and who’ll be responsible for doing it.
• Draft and execute (enforceable) confidentiality and non-compete agreements.
• Implement a policy regarding retention or destruction of former employee data (email, desktop, home folder).

As you’re preparing to terminate an employee:

• Preserve recent backup tapes, especially if the employee had reason to suspect that his/her employment might soon be ending. If your business is seasonal, retain several generations of backups indefinitely so you don’t discover next quarter or next year that the ex-employee has deleted everything from the last cycle.

When terminating an employee:

• Disable the network account and change the network password as soon as possible, ideally while the employee is still in the termination meeting with his manager. Be sure to log the user out from his computer and terminate all sessions (including remote access sessions), or he may retain access for as long as the current sessions remain open.
• Wipe all data off the ex-employee’s smartphone (subject to considerations of whether the PDA is company-owned or employee-owned, and what rights have been established). 
• Look for other “back doors,” including PC-based remote access (i.e. GoToMyPC, LogMeIn, RDP),that the employee may have installed on his computer and that may remain active even after the network passwords have been changed.
• If the former employee had administrative access to the network or potentially knew multiple users’ passwords (e.g., through a helpdesk role), change all passwords on the network.

After terminating an employee:

• Activate an autoreply message and/or email forwarding to assure that requests from clients who attempt to contact the former employee don’t go unanswered.
• Review the former employee’s data to assure that in-progress work product is saved on the network.
• Unless there’s reason to expect post-termination litigation (which might require preservation of data), follow the requirements of your pre-established policy and formally retain or destroy the former employee’s non-work-product data.

Clearly, the process of terminating an employee is fraught with operational and strategic implications and security risks.  Only through careful planning and execution can you contain and minimize these risks.  Start now.