Cybercrime is usually considered an external threat—one that leaves your business vulnerable to strangers. However, sometimes the culprit of cybercrime is closer to home. For some businesses, it’s a former employee who turns out to be the perpetrator of the crime. How can you prevent your business from falling prey to a disgruntled former employee?
When the Threat is Coming from the Inside
In recent years, the news has reported many times on massive cybercrime threats—such as ransomware attacks and other kinds of malware—perpetrated by people unknown to the target companies. But surveys show that around one-quarter of small and medium businesses are also worried about being attacked by former workers. And around 20% of organisations say they’ve been targeted by former employees.
For small and medium businesses this is a particular concern, because it’s these smaller organisations that lack dedicated security resources—and are thus more vulnerable to cyberattacks. The potential consequences are dire. In the US, for instance, 6 in 10 are out of business within six months of suffering a successful cyberattack.
It’s important for all organisations, of any size, to be aware of the potential risks, and to act accordingly. This means putting in place protective and preventative measures in the workplace, and also taking steps to make sure that employees aren’t able to retaliate when they are dismissed.
In the Workplace
Part of handling future problems is about setting up systems, policies, and practices that make it harder for them to occur at all. You may not be able to completely eliminate the threat but there’s a lot that can be done to reduce it.
- Choose employees carefully. Hiring the right people doesn’t only mean looking at their credentials, or the sales they made. You can train employees to learn new skills or acquire new knowledge, but you can’t change a person’s character—so make personal integrity a high priority.
- Foster a positive company culture. Employees who feel valued and appreciated are far less likely to pose a threat to the company, even if you have to let them go. Make your company one where everyone is valued, and make sure that workplace problems are handled quickly and fairly.
- Restrict access. Make sure that access to sensitive information is restricted. This includes sensitive company data as well as personal information of clients and customers. Any sensitive or private data should be password-protected and should never be freely available to employees.
- Make your policies clear. All employees should be aware that you take data protection seriously. Make data protection compliance part of employment contracts. Create an “acceptable use” policy to define what employees can and can’t do with company data and devices, and customer information. If you choose to monitor activity on company devices, make that clear, too.
- Make it official. When implementing new policies, hold training sessions for all employees, so that everyone is aware of your policies and expectations. Once training is completed, employees should sign a statement that acknowledges their understanding.
Handling Former Workers
When you have to let someone go—especially if it’s due to a problem with that person’s work or personal issues—it’s important to take steps to ensure they’re unable to pose any kind of threat.
Some vital steps to take include:
- Inform the employee. When an employee leaves the company, they should be clearly informed of the legal consequences of accessing company systems or data, or of using company devices. They should also be reminded of the organisation’s “acceptable use” policies.
- Immediately remove their access to all work accounts, software products, and systems. This seems obvious, but it’s surprising how many small businesses either forget or don’t know this needs to be done. In large organisations, communications issues may mean the IT department doesn’t receive notice of an employee’s termination immediately.
- Check the employee’s devices. These days, many organisations have an own-devices policy that allows employees to use their personal laptop or mobile device for work. Where this is the case, those devices may need to be checked for confidential or sensitive information.
- Change passwords. In some cases, it may be necessary to change system passwords. For instance, when an IT employee leaves or is fired, it’s prudent to change server and network passwords.
- Notify third-parties. Any third-party services the company uses should be informed immediately when an employee leaves the company.
Protect Your Data
Finally, it’s important to make sure you have an IT setup that works for your organisation. Larger companies may have their own dedicated IT department; for small and medium businesses, however, this often means contracting those services out to a third party. With GDPR in effect it’s more important than ever to make sure company and customer data is safe and secure.
Want to make your organisation’s IT systems more secure? Contact ACUTEC today.