Security:  What To Do When An Employee Leaves  ©2003

Termination of an employee can be the most difficult time a supervisor, manager, or business owner can go through.  But even a worker who resigns may have unresolved issues with the firm.  

Most managers know to get back any keys from a staffer who’s leaving the company, or to change the locks if the separation is not amenable.  A significant percentage of security breaches in corporate America, including data theft and damage, is caused by disgruntled or past employees.  Because of the electronic nature of customer files in today’s business world, theft or damage may go undetected for a long period of time.  Network security is not so easily protected as the front door.

I am never surprised whenever I walk though an office and notice a myriad of user login addresses, names and passwords splattered with sticky notes all over computer monitors, desk drawers or cabinet doors.  I learned long ago that in everyday office life, security is usually not enforced or even contemplated.  Yet the simplest way by far to prevent former employees from causing havoc (or worse) on a LAN (local area network) is to enforce security rules while the workers are still employed.

User names and passwords are the first and last barrier between an individual and your network.  Let me repeat:  User names and passwords are the first and last barrier.  A firewall, a very popular mechanism for preventing uninvited access to local networks, can usually be circumvented with authorized user info.

Hackers, which I define as any individuals who try to access a computer or network without appropriate permission, can copy, move, delete or corrupt files if they have a valid user name and password.  They can leave viruses behind, format or cause damage to hard drives, and steal and pass on sensitive or confidential material. There are many methods professional hackers use to gain this valuable access information, but if the intruder happens to be connected to a former employee at the firm, they probably wouldn’t have to search at all.

Speaking of hackers, recent figures show that one third of all spam is relayed through PC’s that have been compromised by a “Trojan Horse” program.  Malicious users could use such a program to take complete control of an office or personal PC, regardless of firewalls, to read, write and delete files and send email as that PC’s user, all invisible to the user.  To prevent this from happening, Microsoft suggests that you keep your anti-virus and anti-spyware software updated daily and to periodically check for Windows security updates (use http://windowsupdate.microsoft.com).

Your own network is not the only place your data is vulnerable.  Many offices use passwords to gain entrance into vendors’ sites, such as insurance or airline carrier websites by their agents.  Again, I often find user access information posted openly in many agencies I visit.  An unwanted guest could cause a great deal of damage to data on these sites with appropriate login information.

So, what to do:

If an employee quits or is let go, and your office is guilty of public display of user info, immediately change all passwords to your LAN.  If necessary, terminate all connections from your network to the outside world, including Internet access, while security measures are taken. 

Call all vendors and have them change all user names and passwords as well.  This supposes that you actually have a list of vendors and their addresses.  I find this is not always the case.

Instead of removing the email address of the departed staffer, have incoming messages automatically forwarded to a manager.  You may be surprised to see what communication has been occurring and, if needed, this may arm you with proof of confidentiality breaches.  Note:  check with your attorney to see what rights you have in your state regarding employee privacy.  Many states require prior written notification of your intent to view employees’ messages and a statement that company email is not private.  I highly recommend that a section on Internet and email use, along with these statements, be included in employee handouts and/or handbooks.

In the same vein, I would suggest you take a few minutes and sit at the ex-employees workstation, logged in as that user if possible, and look through email and web browser histories and favorites.  This may give you a sense of the worker’s Internet use and perhaps you can tell if any of your competitors have been contacted.  If this is the case, you may need to do more research to find how extensive the confidentiality breach may have become. Usually, though, the worst office rules infractions you’ll find are some personal messages and perhaps some porn sites previously visited.

Mentioning in an exit interview (or upon termination notice) that the usual security measures are being taken will signal that the company takes breaches seriously and may prevent future covert action from even being contemplated.

To prevent future security violations by current employees, network security must be enforced.  A key employee or office manager should be chosen as a coordinator and given the duty of maintaining user name and password lists for the LAN, internal applications, and all Internet-accessible vendor sites.  This information should not be allowed to be shared by staff with anyone, including co-workers.  Office rules should include penalties for workers giving out or visibly posting a password, using a computer without their own network login info being used, or accessing forbidden areas of the network.

It is important that the “Security Coordinator” select and maintain all login info for the internal LAN and external vendor applications or websites, rather than the users choosing and keeping their own.  For example, in order to change an ex-employee’s password on a vendor’s site, you may need to know their present one.  Also, to simplify future changes, full departments or offices could use a single login name and password for a vendor’s application or website, leaving a single set of login info to be changed more easily when necessary.

To minimize damage by a successful hacker, make sure that backups are done often and taken off-site.  It should be the LAN manager’s or technician’s duty to test-restore from backups periodically to make sure they are usable when needed.

Trial user names and passwords can be generated by hacking programs or guessed by a hacker with partial information.  For this reason, I recommend that user names be assigned that are not simply the employee’s first name, but rather a combination of characters from the firm and the user’s first and last names.  For example, Marsha Smith from ACME Insurance could use ACM-MarshSmi as a login name.  Her password should be at least six characters long and should be a combination of letters and numbers, without significance, like mjb549k.  Typically, single word passwords, or user-generated passwords are the easiest to hack. 

With computer security and virus concerns publicly conveyed so often worldwide, most workers expect management to implement safety measures and are not hesitant to adhere to these safeguards.  Preventing future mischief or purposeful damage or theft can be for most offices as necessary as protecting the combination to the safe at a bank and can be implemented with a minimum of disruption.  In the long run, peace of mind after a disgruntled employee is discharged is well worth the effort.

If you have any questions or comments, please feel free to email me at jack@worldpointinc.com.

Note: WorldPOINT articles are copyrighted and the exclusive property of WorldPOINT Inc. and author Jack Huber. They may be copied or reproduced by non-ASP's and non-competitors only in their entirety with no modifications, including the source and byline, and distributed without charge or financial gain.