When employees leave a company and take sensitive data with them, intentionally or not, the repercussions can be massive. In February of this year, an employee leaving the FDIC exposed 44,000 FDIC customers’ personal information when she downloaded the data to her personal storage device. Later the same month, a former employee of UK regulator Ofcom offered his new employer as much as six years of sensitive data provided to the regulator by television companies.
A recent survey of 400 employees by Veriato, a provider of employee monitoring software, found that a third of respondents believe they own or share ownership of the corporate data they work on; more than half feel it's acceptable to take corporate data with them when they leave a job.
"The potential damage from even one employee taking confidential and proprietary customer data, software code or login credentials with them to a new job, especially with a competitor, is astronomical," Veriato COO Mike Tierney said at the time.
So what should companies do to prevent such potentially serious damage?
Know Your Data: What Is It and Where Is It
It's crucial to focus on what really matters in protecting sensitive data, said AvePoint product analyst Ben Oster. "You can have all these policies in place, but if HR lets somebody walk over and plug in a USB drive after they've been let go, it doesn't matter," he said.
The FDIC breach, Oster said, offers a perfect example. "She plugged her drive in and just copied a folder that she thought was her information, and it turns out it wasn't. The issue is not that she was able to copy that data; the issue is that that data existed outside of anyone's knowledge of where it was."
So the first and most important step, Oster said, is to classify your data and clarify where it resides in your environment. "If we can't actually break down how to discover it or classify it, we can't start to put things in place that say, 'You can't take this document,' because we don’t know what's in it."
Organizations must understand what they are trying to protect before they can stop anyone from exposing it, intentionally or unintentionally. "The answer is really to take a data-centric approach to protecting your information," Oster stressed.
For the average organization about 60 to 80 percent of stored information is "dark" data, Oster said. In other words, they simply have no idea what it is.
"You really need to get in there and figure out what that is, because if you don't, you're going to see things get even fuzzier," he said.
Take Holistic Approach to Data Loss Prevention
Michela Menting, research director at ABI Research, said a good data loss prevention (DLP) solution can be key to protecting your data. Still, she noted, solid data protection reaches far beyond just that one solution; rather it’s about applying proper frameworks for authentication, information governance, encryption technologies, and endpoint and network security.
"DLP systems act as enforcers of data security policies by performing deep content inspection and a contextual security analysis of transactions," Menting said. "They provide a centralized management framework designed to detect and prevent the unauthorized use and transmission of confidential information."
As a result, Menting said implementing a DLP solution isn't just a plug-and-play process. "Enterprises seeking to integrate and implement DLP should be prepared for a significant effort that, if done correctly, can greatly reduce risk of data loss to the organization."
The nature of a company's DLP implementation will likely depend on its size, Menting said. "Large organizations with huge volumes of data to protect will prefer to go for a complete content-aware DLP solution, while SMBs may prefer to use DLP as an add-on feature integrated into pre-existing security solutions."
It's the Employee Training, Stupid
AvePoint's Oster said a strong security awareness training program can help prevent inadvertent data breaches caused by departing employees.
"As consumers and employees, we need to be more aware of what we're doing with data, what that content actually means, and what the privacy and compliance implications are of everything we touch on a daily basis," he said.
But employee education alone isn't enough. "If you aren't -- outside of teaching people how to work in your environment -- aware of what your content is doing, where it lives and what lives where, you’re never going to be able to truly say your data is safe or your content is safe," Oster said.
Similarly, while encrypting sensitive data can help, it can't prevent all breaches. "Even encrypted information is not necessarily safe, because there are so many different methods and levels of encryption," Oster said. "Look at the LinkedIn data breach – that information is available in an unsalted hash."
Use Right Level of Encryption
There's also a balance to consider between security and ease of use. "If you're encrypting every single piece of information everywhere, the workload becomes larger, it becomes harder for your end users to use that data, and you're actually more likely to drive them onto a system that's not under your control," Oster said.
And once employees start saving corporate data to their own Dropbox or OneDrive, you've lost track of it. "So while encryption can protect the data when it's in motion or at rest, anything that makes it harder for your end users to get their jobs done likely pushes them toward a solution that you don't want," Oster said.
Final Steps for Employee Offboarding
Ultimately, Oster said, the actual steps you take during an employee offboarding process are far less important than the work you do in advance, in terms of discovering, locating and classifying your data.
Still, any terminated employee should literally be prevented from touching anything.
"We saw a case once where a company terminated an employee, and then HR walked them back and let them plug in a USB drive -- and they promptly took 20 GB worth of information," Oster said. "It doesn't matter how good your information security is if HR is letting them do that."
It gets more complicated when an employee leaves voluntarily and on good terms. "You can't stop them from working for their last day; you can't stop them from using their laptop in a way that they would every other day," Oster said. "So how do we control that information? It comes down to making sure you know where that information lives."
The best way to make sure employees don't leave with any data they shouldn't have is to know exactly where that data resides, and to make sure employees aren't accessing anything they aren't supposed to; that gets back to discovering and classifying your data long before any employee's departure.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at firstname.lastname@example.org.