When it comes to organisational risk, leaders tend to primarily focus on external factors and Information Technology (IT) controls. The internal risks, however, can be just as great. Commonly referred to as an ‘insider threat’, employees can pose some of the greatest operational and reputational risks to organisations - whether inadvertent or malicious.
When it comes to departing employees and valuable Intellectual Property (IP) or Commercially Sensitive Information (CSI), proactive risk and control measures need to be considered. The media is littered with articles about the unintentional loss of portable drives containing sensitive data and disgruntled ex-employees who have deliberately set about taking data when they exit the business.
Regardless of intent, such incidents can leave a lasting negative impact on the business, resulting in loss of value or reputation and significant recovery costs.
To help prevent this, BDO’s Forensic Services experts have identified four key areas that should form part of any critical employee exit process. Every organisational leader should consider, act and respond appropriately in accordance with their organisation’s own risk profile.
1. Preventative controls
First, organisational leaders and senior IT professionals must understand what their organisation’s critical data assets are, where they are located, how and by whom they are accessed, and by what means they could potentially be extracted and taken from the organisation.
Prevention is far better than responsive action. Preventative controls can be embedded across employment contracts, information system security controls, learning and development and appropriate access management policies and procedures.
2. Detective controls
Modern technology and connectivity are often the catalyst for data and information risks, but they also provide a means for the pro-active detection of information theft. Appropriate IT controls are designed to enhance trust through protection rather than erode it as is the common perception.
Organisations should consider how staff interact with critical information assets both internally and externally, common practices and information exchanges, and the security of platforms and processes. Proactive monitoring controls don’t need to be invasive, but can automatically trigger warnings or even prevent inappropriate activity attempts. Such controls may include activity logging, asset registration access restriction, prevention of replication or distribution with automated notifications to flag suspicious activity.
3. Departure checks
When critical employees who have high level access to sensitive information are leaving an organisation, particularly under acrimonious circumstances, there is an opportunity to preserve potential evidence of wrongdoing. It may be as simple as obtaining and storing a forensic image of their computer and preserving activity and system logs. These simple and cost effective measures can significantly reduce recovery and legal costs if misdeeds are subsequently identified.
It's also important to highlight exit protocols and requirements during this process.
4. Response
In circumstances where it’s suspected that IP or CSI has been taken, proper response protocols, timing and prior preparation will be the difference between an efficient, successful response strategy and a costly, drawn-out exercise - with no guarantee of success if electronic evidence is lost or overwritten.
Let’s consider a case study
James leaves his employer to join a competitor. Prior to his departure, he accesses the intranet and copies critical organisational documents - including customer contact lists, supplier information and cost pricing - to his desktop. He also copies key emails and business document templates, reports and strategy documents. James tries to email the files to his personal email address but fails as they are too large. He then tries to upload the files to a personal cloud storage facility, but finds he doesn’t have the required user authority. He then copies the data to a USB portable disk drive. On his departure, he takes the portable drive with him.
Following his departure, a staff member becomes aware that James has been contacting the organisation’s customers and suppliers and is using documentation that appears virtually identical to his former employer’s materials.
Separate to any employment related contractual obligations, it’s clear that while the organisation did have some proactive controls in place, including user access restrictions, there were shortcomings in their approach.
Further investigation by forensic technology specialists can provide a wealth of additional evidence, such as user activity (including internet, email, and cloud storage) system and file related activity and possibly extending to information about what files were accessed and copied to the USB device (even though the device itself is no longer present).
Whilst there are responsive avenues, a proactive, preventative approach would have been a far more effective and cost efficient means to reduce risk for James’ former employer.
Mitigating your organisation’s risks
Our Employee Departure Checklist is a valuable tool to assist organisations in understanding and managing an employee’s departure. Equip yourself with the knowledge and checks necessary to reduce risk and protect your valuable data, brand and reputation.