Can You Trust Your Ex-Employees with Company Data?


Do You Trust Your Ex employees

It's one thing to ask whether companies truly trust their employees with company information, but I think most would agree that trusting their ex-employees is definitely not desirable.

I was thinking about this while closing down the logins of a recent leaver on our various SaaS accounts. The internal systems were relatively straightforward - it's all controlled via a directory service so one inactivation command disabled all logins to our tools.

But, like many companies out there we've signed up to various 'must have' SaaS applications running on the public cloud. I'm talking about sales tracking tools, sites for desktop screen-sharing, and of course social media sites. The social networking sites are arguably the worst because they accept credentials from consumer-facing sites (e.g. Twitter, Google, Facebook, Hotmail) and therefore blur the distinction between your personal sites and company/enterprise usage. If you sign up to a work-related account using your personal email address, it can bring problems for you as an employee. With things like Microsoft accounts, where you can associate multiple email addresses with a single account, an employee who has joined a work email address with a personal address runs the risk of their former employer locking them out of their personal account by using their former email address to gain access.

Add to this the security problems caused when an ex-employee's devices are hacked or stolen - along with the linked work accounts. An employee might alert the company to the problem, but would an ex-employee do the same?

Choosing the best business management software for your company

Going back to my task-in-hand, there was no fear in this case of a 'bad leaver'. It was just a chore trying to remember all the places we'd shared or granted access to accounts. We were so quick to sign up when we found a good application, but we kept no records because ever shutting down these accounts seemed a remote possibility.

It would seem from some survey stats out recently that many companies don't even bother to try closing accounts. One survey found that 89% of ex-employees could still access very confidential information using their 'old' logins. This data is on sites such as Salesforce, Facebook, Google Apps, etc. It also found that 45% of these ex-employees did login at least once. That's close to another stat I've seen where 51% of companies found that ex-employees tried to access company data.

Book a free demo of the Cognidox Document Management System

IT departments would argue that part of the problem here is that nobody (apart from the users of course) knows these applications are in use. Staff create workspaces on the file sharing sites because it serves a pragmatic need during one busy period or another. The same solution is then re-used to store files that might be needed when access to the company network isn't possible or convenient. That's why a huge 68% admit to storing work information in their personal file-sharing cloud.

Another real possibility is that passwords for these applications are shared. There are various reasons for this, but chief among them is avoiding cost and maximizing simplicity. So, say five people have access and one leaves the company. The other four still need to carry on using the tool. Do they remember to change the password? Probably not.

It's in the interests of SaaS vendors to make the sign-up process as easy as possible. But while I was struggling with the chore of closing down those accounts, my allegiance was definitely with those who warn us about the lack of security that this can bring.

Like many things, a little planning and record-keeping will help in the long run. Here are some suggestions to bear in mind:

  • Keep a list of services you're using - help IT by sharing the list with them
  • When signing up for a site, spend some time finding out how to manage accounts for the day you need to disable/remove an account. Keep a record of the process somewhere central
  • As part of your social media policy explain to employees that mixing personal email addresses with work accounts is not a good idea
  • As part of the employee exit process include a task that encourages them to remove their former work email from any personal accounts

Tags: Compliance, New Product Development

Paul Walsh

Written by Paul Walsh

Paul Walsh was one of the founders of Cognidox. After a period as an academic working in user experience (UX) research, Paul started a 25-year career in software development. He's worked for multinational telecom companies (Nortel), two $1B Cambridge companies (Ionica, Virata), and co-founded a couple of startup companies. His experience includes network management software, embedded software on silicon, enterprise software, and cloud computing.

Related Posts

Navigating UKCA Marking for Medical Devices: What You Need to Know

Post-Brexit, there is still confusion about the future use of the UKCA (UK Conformity Assessed) ...

5 Steps to a Robust Corrective Action Process

It’s the job of your corrective action process to identify and eliminate the systemic issues that ...

5 Challenges in Building a Pharmacovigilance System Master File

Managing the integrity and accessibility of a PSMF (Pharmacovigilance System Master File) is a key ...

8 Tips for Effective SOP Documentation

There are many reasons why organisations need to document their SOPs. From ensuring uniformity in ...

The Pros and Cons of Phase Gate Processes in New Product Development

Will a phase gate process hold back or enhance your new product development? What are the pros and ...

The Evolution of Quality Management Systems: A Path to Business Growth

A focus on a quality management system shouldn’t just mean a ‘box ticking’ exercise for an ...