A Key Employee Leaves for a Competitor. (K)Now What?

Peter Fortunato, Risk & Business Advisory Manager
August 2018

You were just informed that a key employee, (who we shall call Walter) has accepted an offer of employment elsewhere. You never saw this coming, and the burning question in your mind may be a critical one: Why is Walter leaving?

The circumstances may very well be benign, such as the need to take care of an aging parent, or a desire to move into a new part of the country. But what if Walter was compelled to leave due to perceived mistreatment from your company? According to an article on CBS News, disgruntled employees make up 75% of departing employees.

It may be emotionally difficult to wish Walter well on his new venture, and thank him for his numerous years of service. It can be even more challenging as you follow proper HR protocol, escorting him to collect his belongings, and off the premises. Following company protocol, the IT department has disabled Walter’s access to the local systems. You have arranged the meetings with affected staff to address the departure, and temporary delegation is in place. Things appear to be moving in the right direction.

Then you have a serious and more troubling thought: How do I know if Walter left with more than his personal items? Regardless of the scenario, an exemplary employee giving their notice or an involuntary termination of employment, you have a responsibility to ensure the security and integrity of company assets. While it is prudent to review your systems for unauthorized transfers of data when employees leave, the risk is heightened when a departure may involve ulterior motives.

In our work conducting forensic reviews after an adverse termination, we have found evidence of dissatisfied employees performing unauthorized, imprudent, and fraudulent activities. While preventing malicious activity should always be a priority, so also should understanding the risk of data loss when an employee leaves your company. Timely investigations provide assurance that a departure won’t lead to bigger issues down the road.

These investigations must be performed timely, and by a trusted individual who can keep disclosure of such activity to the limited, authorized individuals. This can be challenging for small organizations with close interpersonal relationships. It may also be a struggle if the internal IT resources have limited experience with forensic searches, or lack an ability to be truly objective when investigating and reporting on the departed employee’s activities.

While an investigation should cover internally-assigned machines and mobile devices, it is equally important to ensure online services are audited as well. Corporate websites, presence on social media accounts such as Facebook, LinkedIn, or Twitter, and activities conducted through online subscription-based services such as Office 365 fall into this realm. It is important to review logs for any cloud storage access, email activity, file transfers, unauthorized USB devices connections, or inappropriate data access activity. For departures of IT personnel, a timely change of shared passwords is an absolute necessity. As challenging as it can be to implement, it is essential to change all the passwords the former IT employee may have had access to through their work. Additionally, if the IT department makes use of a password database, it is critical to ensure copies of the database containing sensitive credentials have not been extracted or deleted. It may be important to review backup and recovery logs to ensure systems were not restored to removable media.

BNN recommends that companies exercise a standard departure checklist, and include a trust-but-verify approach to provide assurance that employee terminations adhere to company policies. This is particularly true where intellectual property and confidential information are concerned.

It is important to ensure that your Information Security Policy clearly states that all data created and stored on company assets are property of the company, and that “personal files” on its systems may be viewed and used during investigation. The second required element is being capable of investigating any system activity. To do so requires the proactive step of enabling audit logging and installation of an email archiving solution. The systems in place should allow for email, firewall, file system, and cloud service activity reviews. Make sure these systems are in place, and operating effectively, before you need them. Losing an employee is tough; losing your data can be a nightmare.

If you have any questions regarding this article, please contact Peter Fortunato at 800.244.7444.

Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.