It’s not just hackers and Wi-Fi pirates who put your data at risk. Disgruntled employees seeking revenge can sabotage your information. Even happy employees can accidentally put you at risk.
In addition to encrypting the data itself, there are numerous precautions you can take to keep your data safe, and these 11 tips will show you how.
#1. Provide company laptops for all employees
Providing quality laptops for your employees is a significant financial investment. It’s also a priceless investment in your security.
Allowing staff to use a personal laptop for business puts your business data in a vulnerable position and subject to serious consequences:
- A personal laptop regularly connects to unauthorized and free, unsecured Wi-Fi networks when the employee visits coffee shops, hotels, and friends. Logging into company accounts on unsecured networks makes login credentials and data stored on the hard drive available to anyone running a program to hijack HTTP sessions.
- Downloaded torrent files often have malware that steals company data or wipes out the hard drive.
- When an employee leaves the company, they’ll walk away with your sensitive data, increasing the potential for that data to fall into the wrong hands.
#2. Set public Wi-Fi rules
Your staff should never be allowed to connect to an open public Wi-Fi network on a laptop that contains company data. It sounds harsh, but public networks present significant threats.
Sean Remnant, network security expert from Exclusive Networks, told CNN that the difficulty with public Wi-Fi is “differentiating between a good Internet access hotspot and a rogue, or somebody trying to actually glean credentials from you. The issue is that you don’t necessarily know the difference between a good and a bad one.”
Requiring staff to use and keep company laptops in the office not only eliminates security issues, but prevents them from burning out by taking their work home with them. Remote employees who don’t come to the office are covered in the next tip.
#3. Provide Wi-Fi hotspots for remote employees
Your remote employees are your biggest liability when it comes to stolen data. Just like providing staff with a company laptop, remote employees should be provided with a company hotspot so they don’t need to use unsecured public Wi-Fi.
The security of a dedicated hotspot is within your control. Before handing them out, secure all private hotspots by giving them a unique, complex name consisting of random letters and numbers. Don’t broadcast the network, disable DHCP, and switch off WPS.
#4. Create a system to track and manage passwords
Passwords should be stored in a single document that can be viewed by authorized staff, but updated only by one person. When passwords change, the designated person should be notified to make the change.
You also need a strict system to maintain the integrity of the passwords. For example, when you hire someone, track the accounts they’re given access to. When a staff member leaves, use that information to determine what passwords need to be changed, and what accounts (like email) need to be terminated.
#5. Change all passwords before terminating someone
When you let someone go, change passwords before you hand them their notice of termination so they’re not able to sabotage your business.
In 2012, a 32-year-old man named Dariusz Prugar was fired from his job as a systems administrator for an ISP. A couple days later, he used his old login credentials to destroy the system he helped build. He was sentenced to two years in jail and received a $26,000 fine.
Justice can be served in the end, but it’s easier to change your passwords than it is to pursue a lawsuit in Federal court.
#6. Check admin settings before changing your passwords
Before changing a password, check your admin settings to make sure only authorized emails are listed on the account. If your terminated employee snuck their personal email onto the account, delete it first so they won’t be notified of any changes.
#7. Require staff to keep their passwords on file
Transparency with passwords is a safeguard for your company. Sometimes it’s necessary for employees to have individual accounts that can’t be shared – like with Adobe Creative Suite, FTP accounts, and their company email. These should be recorded in your password log.
#8. Use only company emails for all Google doc invitations
You want to get your new hires started as fast as possible, but be aware that sending invitations to view company documents should never be done with their personal email address. Wait until you’ve established a company email address for them before starting the onboarding process.
#9. Don’t delete email accounts upon termination
When an employee leaves the company, don’t terminate their email account right away. If they were a key player and didn’t have time to transition their duties and communications to someone else, you’ll need to do it. You might also need their emails for legal issues in the future like labor disputes, a breach of contract, copyright violation, or to prove malicious intent if they’ve compromised your data.
#10. Batch forward all emails prior to termination
Prior to terminating an employee, log into their email account and batch forward all of their emails to a separate, secure email you’ve created just for that purpose. If they somehow manage to delete emails after they’ve been let go, you’ll have copies.
If you’re piping company email through Gmail, you can change your webmail settings to store a copy of all email on your company’s server. Your employees will never know, which gives you the advantage if you find out they’ve compromised your data.
#11. Forward emails as fast as possible
Just because you’ve changed their email account password doesn’t mean they can’t still delete emails to hide evidence. Not many people know this, but there’s a security hole in the Gmail app for Android that allows access to a mailbox even after the password has been changed (until they log out). Forward their emails before they have any reason to delete them.
Enforce data security rules for all staff
Instead of thinking of data security as a trust issue, think of it as due diligence for protecting your business. When you make it about trust, your emotions might convince you to skip precautions for some people, but not for others. Enforcing your rules across the board means you’re protecting your data.
What kind of data security rules have you implemented in your business, and how did you get your staff to adopt them? Have they been effective? Have any of them failed? Share your experience in the comments below!