It’s a good question and one that many organizations don’t think about thoroughly. You take a lot of time onboarding an employee by doing background checks, checking references, and determining what information systems and data access the person needs to do her or his job. You may have a comprehensive provisioning system that grants access to all applications and data.
But how about when someone leaves? It’s great that you de-provision access the INSTANT someone becomes a former employee, but how do you protect the confidential data she or he may have been taking out each night for the last few weeks? Organizations spend a lot of money guarding against cyberattacks from hackers and other external people, but many don’t do enough to protect their data from threats of former employees.
While an employee or contractor, many people create and use a lot of documents that contain intellectual property, financial data, employee and customer information. Given the nature of work today, these documents are stored on laptops, mobile devices, in cloud services, and all over your organization. In fact 70 percent of organizations do not know the location of confidential information, according to a study by the Ponemon Institute entitled “Risky Business: How Company Insiders Put High Value Information at Risk”.
A recent survey by OneLogin found that 47 percent of organizations admit that one in every 10 data breaches were tied directly to former employees. We don’t want to stop employees from working where they want and when they want, but it’s important to control access to the documents they use, regardless of location.
The best way to control access to documents is to encrypt them and apply permission controls that limit what an authorized user can do with the document. This applies to documents created at the desktop, reports run from databases and documents downloaded from information systems and document repositories. The controls are persistent and even apply to all derivatives of the documents, so no matter how many copies are out there, they are controlled and managed.
When an employee leaves the organization, you only need to remove their access in one place and all sensitive documents are inaccessible. That person now becomes an unauthorized user. It doesn’t matter if the document is in a cloud service, on their home PC, in email or on a thumb drive. You don’t have to go looking for them, because once you de-provision the employee, their access is gone for all documents. If they try to open them, they see a bunch of random characters.
While controlling system access is important, controlling access to the documents that contain your sensitive data is more important. Applying controls on the documents themselves ensures you can turn off that access with a click of a mouse the moment an employee becomes a former employee.