protecting corporate data when an employee leaves: survey and best practices
TRANSCRIPT
Our Speakers Today
Michael Osterman
Principal Analyst
Osterman Research, Inc.
@mosterman
Drew Nielsen
Director of Enterprise Security, CISSP, CISA, ISSAP, ISSMP, CCSK
Druva, Inc.
@virtualkjell
About Osterman Research
• Focused on the messaging, Web and collaboration industries
• Practice areas include archiving, security, encryption, content management, etc.
• Strong emphasis on primary researchconducted with decision makers andinfluencers
• Founded in 2001
• Based near Seattle
©2017 Osterman Research, Inc.
Your company has
sensitive, confidential and valuable
data
Employees have access to that data (and IT often
does not)
Employees leave your company
Your sensitive,
confidential and valuable data leaves with them
Why We’re Here Today
©2017 Osterman Research, Inc.
Employee Turnover is a Fact of Life
• The typical company can expect 24% turnover of its employeeseach year
• In 2016, the average employee tenure was 4.2 years
• In 2014, it was 4.6 years
• Turnover among Millennials is much higher than for older workers
• Good economies result in high levels of employee turnover
• Involuntary terminations are also common
• Individual terminations
• Mass layoffs
• Company closures
©2017 Osterman Research, Inc.
Protecting Data is a Major Problem
Companies face a wide range of problems in retaining corporate data when employees leave…and even knowing if they have done so
©2017 Osterman Research, Inc.
Percentage of Respondents Indicating a Significant or Major Problem
When Employees Leave, What is Retained?
Most companies retain employees’ files and emails when they leave
But they retain little else!
©2017 Osterman Research, Inc.
Why Do Employees Take Data?
• They do so unintentionally
• BYO devices/applications/mobile apps/storage make it easy for employees to depart with corporate data and not realize it
• They don’t think it’s wrong
• Many employees believe that “their” clients, prospects,intellectual property and social media contacts belongto them, not their employer
• They do so maliciously
• Some are angry with management or feel they werewrongly terminated
©2017 Osterman Research, Inc.
What are the Consequences?
• The biggest problem is loss of intellectual property
• Trade secrets, customer lists, marketing plans, financials, reputational damage, etc.
• Some examples:
• The day before and of his resignation, an employee of Leica Geosystems downloaded 190,000 files, deleted 54,000, and downloaded another 190,000
• An ex-employee of Ferguson Enterprises allegedly kept customer information and used it to set up a competing company
• A soon-to-be-terminated employee of BlueScope downloaded the company’s trade secrets before her departure
• An employee installed Google Chrome Remote Desktop without IT’s approval and used it to access the corporate network at least 16 times in order to exfiltrate sensitive data
• An employee at Expedia’s Hotwire division kept a company laptop and used it to hack into company executives’ email accounts and devices
©2017 Osterman Research, Inc.
Other Consequences
• Lawsuits and other litigation
• Loss of regulated data and data that couldbe subject to legal hold requirements
• Loss of corporate reputation
• Loss of competitive advantage
• Data breaches
©2017 Osterman Research, Inc.
Signs to Look For
• Employees copying or downloading significant amounts of information to the cloud, USB drives, personal drives, personal email accounts, personal filesync-and-share accounts, cloud storage, etc.
• Employees deleting a significant number of documents or emails
• Odd timing of employee access to email, data repositoriesor facilities
• Employees communicating with competitors
• Anomalous levels of email activity
©2017 Osterman Research, Inc.
Are Good Processes and Systems in Place?
Many companies have not implemented the appropriate processes and procedures to manage employee departures
©2017 Osterman Research, Inc.
So, What Can You Do About It?
• Make sure your sensitive corporate data is under the control of IT, not just employees
• Content archiving is a key technology that will put the company in control
• Consider limiting employee access to data
• Does every employee need access to every piece of corporate data?
• Encrypt sensitive and confidential data
• In-transit, at-rest and in-use
• Use the right authentication for sensitive and confidential data
• Risk-based authentication should be considered
©2017 Osterman Research, Inc.
What Else Can You Do?
• Manage mobile devices and laptops properly• Can all of your devices be wiped after employees leave? Even personally-owned devices?
• Your data needs to be backed up• Backup and archiving are both essential best practices
• Make sure employment contracts contain confidentialityprovisions
• Develop, implement and update proper-use policies forEVERYTHING
• Monitor and audit employee behavior
©2017 Osterman Research, Inc.
Even More Things You Can Do
• Conduct initial and ongoing employee training
• Don’t allow employees to be their own administrators
• This allows employees to decide where sensitive corporate data will be stored
• Establish the ownership of social media contacts
• Make sure that “ownership” of Twitter and other social media followers is well understood
• All managers must understand their employment contracts fully
• Data this created during employment, acceptable use policies, etc.
©2017 Osterman Research, Inc.
Technologies to Consider
• Information governance
• Centralized logging and reporting
• File analytics technology
• DLP
• Encryption
• Mobile device management
• Content archiving
• Virtual desktops
• Windows to Go
• Employee activitity and content monitoring
• Solutions to prevent the offloading of data
• BYO replacements
©2017 Osterman Research, Inc.
We now efficiently manage the full lifecycle of data across time, device and geography.Druva makes this possible.
“”
Shah Nawaz,Director of IT, Shire
Enterprise Customers
4,000+Data Under
Management
25PB+
Amazon Storage Partner
Top 5In Cloud Data
Protection
Gartner #1
2000 2005 2010 2015 2020 2025
Cloud
Endpoints
Remote Sites
Data Centers
40 Exabyte
Increasing Data & Business Risks
Insider Threat & IP Theft
Corruption & Loss
Legal Exposure & Sanctions
Compliance Infractions
Ransomware & Malware
Improve Business Agility, Reduce Risk & Cost
Single Pane of Glass
Improve Data Visibility
Reduced Infrastructure Dependency
Lower Overall TCO
Summary
• Employee turnover is common
• So is the departure of corporate data when employees leave
• Most companies are not adequately prepared to deal with two key issues
• The employee departure process
• The aftermath of data loss, data breaches and the other consequences that can result from not protecting data
• There are steps that can be taken and technologies that can be implemented that will almost entirely solve the problem
©2017 Osterman Research, Inc.
For More Information
Osterman Research, Inc.
+1 206 683 5683
+1 206 905 1010
www.ostermanresearch.com
ostermanresearch.blog
@mosterman
©2017 Osterman Research, Inc.
Druva, Inc.
+1 650 241 3501
+1 800 375 0160
www.druva.com
www.druva.com/blog
@druvainc