This is the third in a four-part series on Internet security, how to monitor and prevent threats to the computers and networks of a small business, and how to combat breaches when they occur.
“Canadians are very well-intentioned people,” says Ben Sapiro, a security expert at TELUS. “The notion of someone leaving and intentionally or unintentionally doing you some harm after the fact isn’t something we like to think about.”
Yet it happens all the time.
Keeping your small business’ data secure is hard enough when your staff is in place. But it gets especially tricky when someone leaves – and all the more so when someone leaves under a cloud.
Mr. Sapiro, along with colleagues at TELUS and the University of Toronto’s Rotman School of Business, has surveyed hundreds of Canadian businesses to assess their security techniques. Among their findings: small businesses suffer most of their data breaches due to negligence on the part of an employee, and that the smaller a company is, the more at-risk they are when it comes to staff turnover.
Walid Hejazi, a professor of business economics at Rotman, points to three main causes in cases where data walks away with employees. First, employees erroneously think they own data they create – “It’s my data; I built the database, so it’s mine,” as Prof. Hejazi puts it.
Second, they may wish, illegally, to sell it.
Third, they merely want to keep that information on file for when they find new employment – even though it might consitute a major breach of confidential information.
Once you’ve trusted an employee with access to your information, that trust is your first line of defence. But a combination of preparation, education, and thoroughness can help cover your assets at times of change.
Here are some suggestions for keeping your valuable data safe:
1. Prevention and education are key.
The first key to keeping data from walking away with your employees is to make sure that you’re on the same page as your employees to begin with.
First and foremost comes the understanding that, for all the sweat employees put into creating intellectual property for the company, that data still belongs to the company, and can’t follow them when they leave.
“The best place to start out is with an employment contract,” says Mr. Sapiro. Such a contract would spell out the business owner’s right to inspect any computer for proprietary data – even if the computer belongs to the employee.
“This sets the expectations with the employee, and gives the employer certain recourses,” says Sapiro.
2. Make an orderly transition.
Assuming that the employee’s departure is amicable, make sure you have the information you need from them before they go. Ask for their passwords, and immediately make sure that their e-mail forwards to someone else.
“This person has for some time been representing this company and you don’t want those relationships to end,” says Tom Keenan, a professor of environmental design at the University of Calgary.
Then, start fresh. Prof. Keenan suggests make a backup of a computer’s hard drive, using backup software and DVDs, and reformatting the computer from the disks that came with it. You never know what malware (or pirated software) the employee might have inadvertently acquired, or personal information they might have left behind. It’s good practice to let the machine’s next owner start from scratch.
3. Be vigilant about passwords.
Changing all the relevant passwords is an obvious first step, but being thorough can be difficult.
