Data Protection: What do you do when your employee goes rogue?
Every organisation has one, the employee renegade who thinks they can work outside the lines. Unfortunately if left unchecked rogue employees can leave plenty of financial messes in their wake. They can also leave your sensitive business data at risk of data leaks, or abuse.
In this article we want to take you through the data protection principles we believe will help you stop rogue employees from mishandling your business.
The reality of your data protection and rogue employees
According to the British Business Bank, the true cost of employing a new employee at £27,600 per annum is likely to hit £62,890 in their first year. This covers the recruitment process, salary, pension, national insurance, training, holidays, etc. As you can imagine this is why employers want to do all they can to employ well and to retain their staff.
How do you spot someone who is going rogue?
The chances are your potential candidate will have made some pretty significant changes in their behaviour recently. They might be showing signs of withdrawal, or they might be oversharing harmful opinions. As to their work, it may show signs of carelessness or deliberate disobedience.
If so, then it is time to act.
What does a rogue employee mean for your business data?
Not every employee will want to destroy the business they no longer want to work for, but it can happen. Your business data is one of the biggest assets you’ll need to make sure is protected at every step.
An Osterman Research white paper published in August 2014 found that from 379 online surveys
68% of data workers continue to store work-related information in personally managed file-sharing software. This could be online tools like Dropbox, Google Drive, Microsoft’s OneDrive, or an independent corporate server.
89% of employees continued to have access to at least one application from their former employer whilst working for someone else.
Alarmingly 6% of these employees shared business data with a third party.
Osterman also found that a large proportion of intellectual property, customer information, sensitive employee information and other content was not managed appropriately by the businesses concerned.
Whether knowingly or not, there is a potential that your sensitive data is being exposed to cybercrime when an employee leaves your business.
What’s the worst that can happen when an employee goes rogue? A data breach at the Calgary Municipality in 2016 triggered a class action lawsuit for CAD$ 92.9 million, after a city staff member sent an email to a colleague in the Alberta municipality, sharing the personal data of 3,716 employees. Cited as human error, the matter was not considered to be a malicious act.
But it could have been!
In 2015, the UK supermarket chain Morrisons fell foul of employee Andrew Skelton’s malicious leak which exposed the payroll data of 100,000 staff, after receiving a verbal warning at work. 9,000 employees were awarded compensation as a result of a class action lawsuit against the chain, at the cost of £2 million. While Morrisons was lucky that the supreme court ruled they were not “vicariously liable” in 2020, it did expose the issue that employees had access to too much sensitive data. Andrew Skelton received eight years in prison.
It is clear, regardless of malicious intent, we need to secure our confidential information by being more proactive with our data protection policy. This includes both in-house and external data privileges and being clear about data roles and closing access when contracts or connections close.
What to include in your data protection strategy
A data protection breach is something we don’t want to imagine as business owners, but being prepared is half of your battle against them.
You need to understand data protection laws
The General Data Protection Regulation (GDPR), or Data Protection Act (UK) was implemented in the UK and across Europe in 2018. Here’s a full guide to what that law covers and your handling of business data with regards to clients, suppliers and staff.
Understanding this law will help you shape your internal policy.
Make a note of your compliance obligations
Every industry will require data handling with its own set of specifics. How you are expected to protect your sensitive business data in retail will be different to a law firm. Research your obligations with your governing body and document how you currently act to comply.
Undertake a data protection impact assessment
At a glance you may feel you know where your potential data breaches might hit, you may have already gone to the trouble of protecting yourself against them. But have you gone deep enough?
Do you understand how and where you are capturing data? Or where you are sharing data?
The ICO has created a full guide and checklist for their guidance on a data protection impact assessment. This is a great place to start when considering a policy update or an entirely new one.
Enlist a data protection officer
Someone in your business should be the centre point of responsibility when it comes to working with data throughout the business. This is the best way to oversee what can feel like a minefield of red tape.
Document your data protection policy
Your data protection policy is paramount and should include the following
1. Create an onboarding and exit protocol Document your onboarding and exit protocols with the staff’s user life cycle in mind. This means providing data access and GDPR training only where necessary to fulfil a job function and revoking it at the necessary moment once an employee has resigned or been terminated.
You should also include protocols for external third parties and clients.
2. Establish who has ownership of data and devices To make clear who owns what and is responsible for which devices you will need to audit personal device situations and business-owned device situations.
For all devices you will need to establish an inventory of
Corporate Owned Fully managed (COF also known as COBO) - these are for the sole purpose of business activities. They are often restricted in internet use and download capabilities and all applications should be approved before installation.
Corporate Owned Personally Enabled (COPE) - this is a hybrid use device, meaning that whilst under business control the employee is allowed to personalise some configurations and have approved personal applications installed.
Corporate Owned Dedicated Device (CODD) - whilst business owned this device is open to full personal use by the employee.
Bring Your Own Device (BYOD) - this is a device purchased and owned by the employee, which may then have business-approved apps and access to business systems and data. Here is some government guidance on BYOD schemes.
Whichever path you choose it is likely that there will be pros and cons to consider. For example, a BYOD scheme in an African financial services organisation showed that there was an improvement in employee satisfaction, customer service and employee productivity which gave the business a competitive advantage. The downside to this scheme was concern over data security, as well as access inequality.
The UK government has always employed a COF scheme and this has allowed them to control millions of data points across their infrastructure from HMRC to House of Commons documentation. During Covid over half of their employees were working from home with COF devices, processing millions of extra claims and inquiries. With the Pandemic came an increase in cyberattacks (up 35% according to Deloitte) and government employees were only able to complete their secure work through the government’s investment in device and service management.
3. Decide between cloud and business server solutions for business data Security is paramount when it comes to storing your sensitive business data, so make sure that you consider which server solution works best for your industry and GDPR compliance.
4. Decide on access rights The best approach with access rights is only giving access to the specific data an employee needs to do their role. This is known as “least privilege”. For example, Ray works in customer services, so he does not need access to accounts or HR, he only needs access to files to support his customer service role.
5. Manage employee access with a single sign-on portal (SSO) Microsoft 365 Business Premium offers SSO and with a single sign-on portal we can disable access to multiple systems at once.
This system will also create one login profile for each staff member, reducing the need for employees to remember multiple passwords (which may mean writing them down or storing them on their devices).
6. Provide a password manager for staff use Storing passwords safely is critical, especially with the growing use of cloud software services (SaaS). Help keep your staff safe whilst using the internet and your business data by providing a password manager where a SSO is not possible, or applicable.
7. Implement the right anti-virus solutions More and more cloud services are offering wider security measures, but you shouldn’t leave all the work to them. Make sure you invest in the right anti-virus protection for your business to work with all your devices in-house and remotely-based.
8. Create a data breach protocol Document what happens and who is responsible for post-breach actions. Doing this will mean you move at a much faster and more diligent pace given the data protection breach you are being faced with.
Dealing with a rogue employee specifically
If you are at a point where you feel the need to protect the business and deal with a rogue employee, then you need to give yourself space. Space to stop, think and take action which may mean terminating them.
If you think there is a genuine risk to your business, get those brakes on as soon as possible before the car crashes.
By locking both accounts and mobile devices or even remotely wiping business data off mobile devices and asking for their safe return, you can help protect against data loss and exposure.
Final thoughts: Rogue employees and data protection
A rogue employee is a rare thing, but they can leave you feeling like every brick of the business you built has been ripped away from you. That’s why doing what you can to take preventative steps before the rogue warning signs go off is vital.
Take some time to invest in creating a strong data protection policy and you will see potential exposure points close up overnight.
Need help finding the right balance between your data protection compliance and employee activities? We are Westway IT, an IT Support and IT Services provider in Gloucestershire. We work with several micro and small businesses helping them to navigate their way through the minefield that is data protection and data compliance. We would love to help you too. Contact us for a consultation today!
John Fisher
Meet John Fisher, founder of Westway IT, passionate about helping businesses thrive with technology. With a BSc in Computer Science, he values integrity, education, and quality relationships. Active in The Tech Tribe and CompTIA, John simplifies IT and creates scalable strategies. Connect with him on LinkedIn.