Guest Column | October 19, 2018

Why MSPs Must Secure Sensitive Data When Clients Fire Employees

By Jason Ricketts, Corptek Solutions

Angry Person

On the hierarchy of data security risk factors, employees themselves remain far and away the greatest threat organizations must account for. Technology only helps so much: It is extraordinarily difficult for any security solution to protect data when users with access don’t act appropriately to safeguard their credentials and deter attacks. At the same time, it’s not at all uncommon for employees with the best of intentions (but perhaps not the best training) to unwittingly trigger data breach events, such as by logging into devices and leaving them where others can access them, failing to keep passwords unknown, falling prey to phishing emails, and so on.

Then there’s an even more dangerous category of employee: He or she who has just been terminated. It’s certainly within reason to imagine such individuals may have issues with their (now former) employers and in the mindset to do them harm. If the termination isn’t executed carefully, they might also retain the access needed to steal or expose sensitive data — and do real damage to a company they wish revenge upon. While this obviously isn’t the norm, the consequences can be crippling enough that every organization — regardless of size — ought to be prepared. In our experience, too many still aren’t.

A Cautionary Tale

Here’s a true-to-life example that very starkly demonstrates the risks of a careless employee termination process, recounted to us by a colleague in the data security MSP field. A client of theirs utilizing a large and nationally-distributed sales team possessed an exceptionally valuable list of customer leads. It regarded this list so highly that its remote salespeople were sent laptops and other devices to use for list access, which was limited only to specific sections and closely audited. The company’s caution was well founded: In a past event, a former employee had made off with list data and used it to launch a current competitor.

Unfortunately, for all the care this company put into protecting its list, it still had another hard lesson to learn about securing data throughout the employee termination process. When the company informed a poorly-performing employee that she would no longer be working there and gave instructions on how to return the company-owned laptop, she said no and cut off contact. The company rapidly alerted its MSP to the situation — which it should have done before the termination was ever communicated to the employee — and the MSP used its device security management solution to quickly recognize that the terminated employee was transferring the closely-guarded list files to her own external drive. The MSP was able to stop that transfer and delete the files remotely, causing the ex-employee to then turn off the laptop’s internet connection. The company then called the police. In the end, the MSP politely informed the company that this potential breach wouldn’t have had a chance to happen if they’d simply been given a heads up to secure the data before the employee was informed of her termination.

MSPs: Close The Loop When It Comes To Employee Training And Termination

MSPs ought to take a lead role in integrating themselves into clients’ employment practices from a data security perspective, ensuring and even providing proper employee training practices and termination procedures. It’s to the mutual benefit of clients and MSPs to forge this close bond: clients better secure their data while receiving assistance in meeting any regulatory compliance requirements they’re subject to, while the MSPs delivering these services can distinguish themselves on the competitive landscape.

Many tools are available to help MSPs in providing employee training, like Breach Secure Now!, to deliver and manage employee training in data security best practices within client organizations. Such tools ensure that employees are clearly informed, tested, and certified in proper data handling, including how to protect their devices, follow BYOD access rules, defeat social engineering attacks, and adhere to specific company policies and regulatory requirements. This employee training also makes clear — and has employees acknowledge that they have understood — any behaviors that would be grounds for termination, and the criminal penalties of engaging in practices harmful to the company after termination. Delineating these facts provides a clear deterrent in those scenarios where an upset ex-employee might take an action they’d later regret.

It’s also essential that MSPs eliminate dangers by completely removing an employee’s access to data at the very beginning of the termination process. MSPs should enlist tools designed to secure data across devices in a seamless manner. In this realm we use Beachhead Solutions’ SimplySecure for its encryption and remote access management capabilities, which lets us instantly delete and remove access to client data even on employees’ own BYOD desktops, laptops, tablets, and phones.

For both employers and the MSPs that provide for their data security needs, relationships are key to success. Through helping clients to better end their relationships with employees safely and amicably, MSPs can strengthen their own business relationships with clients by delivering these rare and highly valuable benefits.

About The Author

Jason Ricketts is CEO of Corptek Solutions, a corporate IT consulting company that specializes in providing small and midsize business with enterprise level IT capabilities.