Insights

Information security and the employee exit checklist: Part I

 

Information security and the employee exit checklist: Part I

Oct 11, 2019

Don was once your best sales manager. Debra was a polished exec in your C Suite. Joel and Ray were your crackerjack IT team. 

Today they’re all working at other businesses. But now you suspect Don is using your proprietary customer list. You worry that Debra might have shared your next big product idea with a competitor. And you discover that Joel and Ray still have access to your network and have now exposed your company to a huge security risk. What do you do?

The better question is, what should you have done before, during and after their employment? In part one of this blog, we’re going to discuss what actions businesses and organizations can take before and during employment to help protect themselves. In part two, we discuss what to do when an employee hands in their resignation.

It’s vital to have the right policies and procedures

Preserving and protecting your information — and your rights as an employer — starts by having the right policies and procedures in place. While many organizations groan at the thought of spending time and money to create or update their policies and procedures, this is one huge area of protection that could be disastrous to overlook.

Policies and procedures form the foundation for: 1) establishing expectations for conduct, 2) training staff and 3) holding staff accountable. In the absence of these policies, you may be limited in actions you can take if you discover a current or former employee was engaged in wrongdoing. 

For example, if you don’t have an acceptable use policy that lays out expectations of privacy when using company email or devices, you could be limited in looking at current or former employees’ email accounts to verify if they’re engaged in wrongdoing. 

Then there’s a policy laying out ownership of intellectual rights. If you don’t have this policy in place and an employee quits and takes vendor contracts, customers lists or other proprietary data or ideas, you could be limited in what you can claim the employee shouldn’t have taken or disclosed to third parties. 

And what about a policy requiring employees to return all equipment, such as laptops and access keycards, upon termination? If you don’t have this policy and a former employee takes the equipment with them, you may not be able to take the cost of the equipment out of the employee’s final paycheck. 

Information security policies to enact before employees are hired

When it comes down to it, a lack of policies limit what you can hold employees accountable for and how you can enforce appropriate and expected behavior. If you don’t have these in place already, here are three actions to take before you hire another employee:

  1. Establish and maintain appropriate policies regarding confidential information, expectations of privacy and your company’s ability to monitor activity.
  2. Make it clear that your company owns — and the employee has no rights to — organizational cell phone numbers, blogs, social media accounts, websites, etc.
  3. Never reissue equipment from key employees without new or newly cloned or reimaged hard drives.

What about current employees?

With policies in place, now it’s time to move on to procedures. There are several procedures that help protect vital information in the workplace:

  • Restrict access to sensitive information: Employees should only have access to the data and information they need to do their jobs. After putting these restrictions in place, make sure to periodically review access, especially when employees are promoted, change roles or move within the organization.
  • Maintain or monitor activity for unauthorized use: Check whether inappropriate technology use is happening, such as unauthorized cloud storage, web-based email or transmission sites, or the improper transmission of documents as attachments to email.
  • Review logs:Periodically review activity logs for unauthorized, inappropriate or unexpected activity.
  • Maintain records: Maintain complete and current records of equipment assigned to employees, as well as equipment that all employees have access to.

Preparing your employee exit checklist

Many employers find it uncomfortable to even think about the chance of fraud happening internally. We often see three challenges acting as a barrier to getting the right policies and procedures in place. 

First, many employers don’t want to believe their staff would ever steal from them. But it’s important to recognize that some employees will have a financial motive for stealing, will rationalize the theft in some way and — because of a lack of internal controls or other preventive measures — will have the opportunity to commit fraud. Taking the actions discussed above will help mitigate this risk. 

Second, many employers haven’t had issues with current or former employees committing wrongdoing, and so acting on mitigating risk doesn’t seem so pressing. It’s a time and resource commitment that isn’t driving the next sale or helping you deliver services. 

But all it takes is one current or former employee gone bad to really harm an organization to the point of questioning its survivability. While you don’t have to implement everything we discussed above, start working on it now and build it out over time. Taking action in small steps at a time will be easier on your organization and more manageable for you.

Finally, a lot of organizations that don’t have experience with this don’t know where to start. And that’s where a third-party can help by bringing experience, best practices and an objective outside perspective. 

At Wipfli, we perform fraud risk assessments, internal controls reviews and assessments, digital forensics and other services that can help your organization identify areas of improvement and mitigate your risk. Learn more about our services here, or keep reading on in these articles:

The secrets of fraud prevention

How to respond to fraud

Financial fraud: what to do when an employee steals from you

Author(s)

Marc Courey
Marc W. Courey, CPA/CFF, JD, LLM, CFE, CICA, CCEP, CIA
Director – Forensic & Litigation Services
View Profile