MSPs: Don’t Let Customers’ Ex-Employees Cause Data-Security Chaos
Make no mistake about it: An organization’s employees are its biggest data-security liabilities. This can be true even of the most loyal and honest personnel, who may nevertheless fall victim to social engineering attacks, such as phishing, or allow their devices or security credentials to be stolen through simple carelessness.
Employees too often are undertrained and unaware of the responsibility they possess as caretakers of sensitive company and customer data, in which even the simple act of leaving a credentialed session unattended can lead to a costly data breach that can be devastating to a company’s reputation. To further complicate matters, there also are plenty of scenarios where employees, or those recently terminated, act purposefully to steal or compromise data. When internal staff with access to sensitive systems have malicious intentions, the risks of a bad outcome are understandably – and significantly – heightened.
Safeguarding data from the harm employees can inflict, no matter their intent, is a critical concern for any organization, and one that provides a clear value-add for MSPs offering clients data security that utilizes the correct tools and capabilities. Protecting an organization from a rogue employee in this way requires a close and highly responsive MSP/client relationship, one in which the MSP has a thorough knowledge of regulatory compliance requirements as it pertains to data-security practices in a given industry.
But at the same time, providing this service can very clearly differentiate an MSP from competitors that haven’t made the necessary investments in such tools and expertise.
A true story experienced by an MSP in our industry perfectly conveys what clients can face when they lack proper support. This MSP’s client was a reseller of medical appliances, with a team of salespeople working remotely across the United States. The reseller provided these employees with laptops and other company-issued mobile devices that could access its closely-guarded client list — a trade secret of critical value. This client had already suffered a past incident in which an employee stole from that list — and, not coincidentally, went on to found a competing company. Following that theft, the client began tightly controlling and auditing access to the list.
Even under these stricter policies, a new issue occurred when it was time for a certain salesperson’s termination. The company called the salesperson, informed her that they would be parting ways, and directed her to return the company-owned laptop. She said she wouldn’t — and hung up. Regrettably, the client hadn’t informed its MSP prior to the termination. The MSP was contacted as quickly as possible once it became clear that the now-ex-employee might place data at risk. Putting its device security management tools to work, the MSP could see that the former employee was actively transferring the sensitive client list files from the company laptop to a USB drive of her own. Using these tools, the MSP was able to cancel the file transfer and delete the client list files from the laptop.
The former salesperson then took the laptop offline. It was subsequently necessary for the client to contact the police and sweat out the outcome, a circumstance that not have occurred had the client followed a more careful procedure and allowed the MSP to secure data on the device before the termination call.
A Penny’s Worth of Prevention
As an MSP, you should be doing everything in your power to help clients implement and adhere to effective data-security policies. These policies must include guidelines for employee training and procedures for a termination process that minimizes risk.
To prepare employees for proper data-security practices during and after their employment, training should begin with a breakdown of the organization’s rules for the handling of data and the consequences of rule violations — even for ex-employees. MSPs can provide delivery and management of employee training through tools like Breach Secure Now, KnowBe4 or Wombat, which are designed to instruct, test and make employees confirm and acknowledge that they have received and understood the policy information. (Here are some tips for successful security awareness training.)
In this way, employees become certified in their abilities to safeguard devices with access to company data, recognize and avoid falling victim to the steady stream of social-engineering attacks, and act correctly in similarly critical situations. MSPs providing such solutions enable customers to easily communicate and manage policies around BYOD, access controls and other critical areas. With the rules clear and agreed to by employees, there’s no room for misinterpretation or lack of clarity as far as the consequences for rule violations.
This makes the deterrent effect all the more potent.
MSPs can also provide the tools necessary to protect a client from even the most scorned of ex-employees by removing their access to data before it can become compromised. For example, we use Beachhead’s SimplySecure because it encrypts client data on the devices employees use, including where BYOD is allowed. You can lock down desktops, laptops, tablets and phones, and the company offers remote-access management. When a client informs us of an employee’s termination (and they had better!), it’s simple to delete all company data residing on all their devices and fully remove their ability to access data — this can even be timed to happen immediately prior to the termination conversation, so that data is already safe before any incident might happen.
Active Directory is another such tool that enables MSPs to manage rights-based data access privileges on behalf of clients. With the right tools in place and a client that offers fair warning, future employees that try to do as the salesperson in the anecdote did would discover that even the data they moved to their own USB drive would be encrypted and utterly useless to them without proper authentication — and thus fully protected.
For MSPs seeking to grow their businesses, embracing the tools and knowledge necessary to protect clients from actions by their current and former employees is a highly effective means of differentiating your offerings in a crowded marketplace while delivering an additional and needed (if too-often forgotten) value to clients.
Peter Verlezza is a managing partner at SMB Networks LLC, which provides IT services to medical practices and businesses.