This is the third in a four-part series on Internet security, how to monitor and prevent threats to the computers and networks of a small business, and how to combat breaches when they occur.
"Canadians are very well-intentioned people," says Ben Sapiro, a security expert at TELUS. "The notion of someone leaving and intentionally or unintentionally doing you some harm after the fact isn't something we like to think about."
Yet it happens all the time.
Keeping your small business' data secure is hard enough when your staff is in place. But it gets especially tricky when someone leaves - and all the more so when someone leaves under a cloud.
Mr. Sapiro, along with colleagues at TELUS and the University of Toronto's Rotman School of Business, has surveyed hundreds of Canadian businesses to assess their security techniques. Among their findings: small businesses suffer most of their data breaches due to negligence on the part of an employee, and that the smaller a company is, the more at-risk they are when it comes to staff turnover.
Walid Hejazi, a professor of business economics at Rotman, points to three main causes in cases where data walks away with employees. First, employees erroneously think they own data they create - "It's my data; I built the database, so it's mine," as Prof. Hejazi puts it.
Second, they may wish, illegally, to sell it.
Third, they merely want to keep that information on file for when they find new employment - even though it might consitute a major breach of confidential information.
Once you've trusted an employee with access to your information, that trust is your first line of defence. But a combination of preparation, education, and thoroughness can help cover your assets at times of change.
Here are some suggestions for keeping your valuable data safe:
1. Prevention and education are key.
The first key to keeping data from walking away with your employees is to make sure that you're on the same page as your employees to begin with.
First and foremost comes the understanding that, for all the sweat employees put into creating intellectual property for the company, that data still belongs to the company, and can't follow them when they leave.
"The best place to start out is with an employment contract," says Mr. Sapiro. Such a contract would spell out the business owner's right to inspect any computer for proprietary data - even if the computer belongs to the employee.
"This sets the expectations with the employee, and gives the employer certain recourses," says Sapiro.
2. Make an orderly transition.
Assuming that the employee's departure is amicable, make sure you have the information you need from them before they go. Ask for their passwords, and immediately make sure that their e-mail forwards to someone else.
"This person has for some time been representing this company and you don't want those relationships to end," says Tom Keenan, a professor of environmental design at the University of Calgary.
Then, start fresh. Prof. Keenan suggests make a backup of a computer's hard drive, using backup software and DVDs, and reformatting the computer from the disks that came with it. You never know what malware (or pirated software) the employee might have inadvertently acquired, or personal information they might have left behind. It's good practice to let the machine's next owner start from scratch.
3. Be vigilant about passwords.
Changing all the relevant passwords is an obvious first step, but being thorough can be difficult.
Sometimes employees will have access to shared or master logins. (For instance, does anyone in your office share a login like 'admin'? Time to change that, and give everyone their own.) Be sure to change passwords for remote-access applications, any online-database services you might be paying to subscribe to, and most especially any online stores you purchase from. (Unless you want 100 prank books ordered in your name from Amazon.)
Even if they don't plan to conduct industrial espionage, you never know who's squirreled away login information to a useful website or ten. That alone is a good reason to rotate all your passwords on a regular basis - and not to be too predictable about it.
"A guy showed me, after he left a major city government, that he could still get into their financial files," recalls Prof. Keenan. "I said, but you've been gone for a year. And he said, every month they change the password, and the first part of it is the first three letters of the month."
4. Watch out for USB keys.
USB keys spell security trouble even when employees are with a company - and it just gets worse after they leave.
For instance, many employees are in the habit of throwing their work onto a USB key at the end of the day, so they can continue their work at home. But these keys are easily lost, and - being in such abundant supply - they change hands with great frequency without being cleaned. An employee might take some spreadsheets containing credit card numbers home on a USB key, only to unthinkingly use the same key a week later to pass a PowerPoint presentation to a client.
Commercial encryption technology is one solution. Alternately, it's possible to disable USB keys on company computers - in which case, a company should make sure that there's a web-based file-sharing service at their employees' disposal.
But this is an area where education and vigilance might be most helpful. Have clear policies about taking work home on USB devices, and make it clear that when an employee leaves, they can't take a USB key's worth of company data home with them.
5. Keep your eyes on the cloud.
The arrival of so-called "cloud computer" services like Google Apps - which doesn't live on any single computer, but instead runs as a site you log into with your browser - means it's not just your network you have to secure.
Online applications are great for collaboration: one user creates a document, and grants other users access to it. Especially if your organization is using Google Docs, make sure that these documents are created through a company account, or one of the principals' accounts - and not the personal account of an employee.
If it so happens that the documents are "owned" (in the computing sense, not the legal one) by an employee, and that employee leaves the organization under less-than-ideal circumstances, they can withdraw access to the formerly-shared documents. This can lead to a personal wrangle, if not a legal one.
Also, remember that employees will often grant access to shared company documents to third-parties - clients, contractors, and colleagues. This might be perfectly legitimate at the time, but when employees leave, the access rights they granted might live on, unnoticed.
Mr. Sapiro suggests that principals should down with staff periodically to review who has access to company accounts, and whether they still need it.
Special to The Globe and Mail