The processes for keeping data safe when employees leave a company are fundamental data protection best practices: backup, archive and encryption. Yet barely half of the organizations that took part in a recent survey have a plan that ensures data can be recovered if an employee changes or deletes it on the way out the door.
Osterman Research conducted a survey of 187 IT and human resources professionals in October 2016 and released the findings this month. The results show organizations are generally not prepared for data theft protection issues with departing employees, said Osterman Research president Michael Osterman. The report found that fewer than three in five organizations have a backup and recovery platform that ensures data can be recovered if an employee maliciously changes or deletes data before giving notice to leave.
“They know what to do, they’re just not doing it very much,” Osterman said.
Osterman suggested organizations should develop a plan for this issue and nail down who’s in charge of ensuring sensitive data is protected.
The report found that 69% of the business organizations surveyed had suffered significant data or knowledge loss from employees who had left.
Those employees may not have taken data mischievously. According to the report, there are three reasons employees leave with corporate data: They do it inadvertently; they don’t feel that it’s wrong; or they do it with malicious intent.
Mobilizing mobile protection
The BYOD movement has complicated matters. For example, an employee can create content on a personal mobile device and store it in a personal Dropbox account or another cloud-based system. That content never hits the corporate server.
“Get control over that kind of content,” Osterman said. One way to do that is to replace personal devices with ones managed by IT.
Virtual desktops can help data theft protection. Because they store no data locally, virtual desktops make it more difficult for employees to misappropriate data, the report said.
The report stressed it is important that “every mobile device can be remotely wiped” so former employees don’t have access to the content.
“Enterprise-approved apps and any associated offline content can be remotely wiped, even if the device is personally owned,” the report said.
Backup, archive, encrypt
A proliferation of cloud applications also makes it harder to recover employee data.
“While IT has the ability to properly back up all of the systems to which it has access, a significant proportion of corporate content, when stored in personally managed repositories, is not under IT’s control,” the report said. “Office 365, as well as most cloud application providers, do not provide backup and recovery services in a holistic manner, and so organizations can have a false sense [of] security about the data that is managed by their end users.”
To maintain complete visibility of sensitive corporate data across all endpoints, cloud applications and other storage repositories, the report suggests deploying a content archiving system.
“Email archiving is the logical and best first place to start the process of content archiving, but other data types — such as files, social media content, text messages, web pages and other content — should also be considered for archiving as well,” the report said.
The data theft protection report advocates encrypting data in transit, at rest and in use, regardless of its location. In addition to manual encryption, Osterman Research recommends encryption that automatically scans content based on policy and then encrypts it appropriately.
“Encryption alone can prevent much of the data loss that occurs when employees leave a company,” the report said.
Report ‘hit a nerve’
In a fairly decent economy, approximately one in four employees will leave a company in a year, Osterman said.
An Osterman Research client originally suggested the organization undertake the data theft protection report.
“I think it hit a nerve with a lot of companies,” Osterman said.
The sponsors of the report were Archive360, Druva, Intralinks, OpenText, Sonian, Spanning, SyncHR and VMware.
The fundamental goals of the report were to make people more aware of the issue and what can happen if they are not careful with data, and to raise awareness about backing up data and archiving, Osterman said.