What happens when an employee leaves your company? If you’re like many small and medium-sized businesses, you’ll collect their laptops and IDs and then quickly work towards filling the newly vacant position. But if you’re not thinking about the IT access they’re bringing with them, then your company is at risk.
We sat down with Michael Osterman of Osterman Research to shed some light on this issue. Below are a few highlights from our conversation:
How big of an issue is this for organizations?
It’s a fairly serious one. And it’s fairly under the radar. You don’t see a lot about this in the trade press. It’s the kind of thing that people understand intellectually, but they really haven’t done much about, because this hasn’t been a priority for them.
I think this report is going to help to shake some things up and hopefully, make people more aware of the kinds of issues they face by not managing these applications well enough. This really is one of the real implications of BYOD that a lot of organizations just have not considered yet.
What are the ramifications of ‘rogue access’, particularly for SMBs?
First and foremost, if you have sensitive or confidential data stored in Dropbox or Google Drive or any of the other personal employee accounts, you potentially run afoul of data breach notification laws. This data is now accessible by someone in another company. That means, in many cases, you have violated the data breach notification requirement that requires you to protect that consumer financial data or protected health information from unauthorized parties. And certainly, an ex-employee would be an unauthorized party.
Another implication is gaining access to that data. If you ever have to go through e-discovery or some sort of regulatory audit, or if you just want to bring it all back in house, it’s much more difficult to do because now you’ve got all this access in a variety of repositories that other people in other companies also have access to.
And it means that you potentially could have spoliation of data: that an employee could then delete your information in their account. It might be information you need for a lawsuit or just want to have in-house, and now you don’t have it anymore simply because an employee has intentionally or inadvertently deleted it.
Why aren’t SMBs doing more to address this issue?
It’s not a really visible issue. For example, people will employ Dropbox or other applications, because they want to work at home or have files available to them while they are traveling and so forth. And in SMBs that don’t really have an IT department or a full-time IT person, someone might implement this IT technology for the good of the company and the good of their own job.
Organizations really don’t have policies around this. They don’t have best practices. They allow these things to grow organically. And they’re all done, in the vast majority of cases, for good purposes. But the problem is they turn into this ugly, unwieldy monster after a time that nobody really has control over.