Steal This Data

Does your company have a well defined set of procedures are followed for all employees who resign or who have been terminated?

If not, I highly recommend that you write a standard employee termination policy and make sure that your human resources and information technology groups implement it whenever an employee is terminated or leaves your company. This is particularly important if the employee has access to sensitive financial information, customer information, confidential intellectual property or information technology systems, but should be uniformly implemented regardless of the employee’s role.

During the termination process, IT’s focus should be on protecting the data assets of your company from disclosure or inappropriate use and on making sure that the departing employee does not destroy any information required for business continuity including sales leads, customer information and trade secrets.

When you create your employee termination policy, it should include a check list of all the physical, network, computer, and data access privileges that an employee could possibly have. That can be quite a long list, but it’s essential that you document as much of it as possible because it is unlikely that your IT group will have this information centralized and up to date. A certain amount of discovery will be required before or during the termination process and a checklist will ensure that you’ve examined and revoked the employee’s access to all major systems of concern.

In the case of a terminated employee, IT should immediately revoke all computer, network, application and data access the former employee has. Remote access should also be disabled and the former employee should return all company-owned property, including notebook computers and intellectual property like corporate files containing customer, sales, financial or operational information. A careful log should be kept of each of these actions for legal or forensic purposes, including the time/date that they occurred and the name of IT or HR staff member who performed the action.

To get you started, I’ve provided a checklist of the systems and privileges that your IT and HR group should review and revoke upon employee termination.

1. Access to company computers including desktops, laptops and servers.
2. Access to the company’s physical and wireless networks.
3. Access to the VPN gateway.
4. Access to all company email accounts. This may include a personal account as well as one or more group accounts that the individual has access to. If the employee has access to email accounts with shared passwords, the shared password should be changed.
5. Terminate all email or message forwarding to personal devices such as mobile phones.
6. Access to all internal server-based systems. If these are accessed by multiple people using a shared password, the shared password should be changed.
7. Access to all externally hosted applications used by the company including online sales force management, CRM, billing, financial, email marketing, team collaboration and web hosting systems. If these are accessed by multiple people using a shared password, the shared password should be changed.
8. All remote servers that can be accessed outside of the company network, say over the internet. If these are accessed by multiple people using a shared password, the shared password should be changed.
9. Access to voicemail.
10. Access to all company conferencing services.
11. Access to the company credit card. If there is only one company credit card and it’s widely known, you may be SOL. I’d recommend you change the card number and centralize all purchasing to keep this information more secure.
12. Remove the employee’s name from the list of approved contacts maintained by all of your external service or software providers.
13. Access to physical premises, either using a key or remote access card. This may include access to multiple sites.
14. Access to any 3rd party locations where the company has equipment, including remote data centers.
15. Access to remote backups hosted by 3rd party services. This may require some forensic work in old expense reports to determine if the employee was backing up their desktop of laptop using an off site service.

Once access to the information has been revoked, your IT and HR groups should work with the employee’s manager and other departments to determine who will take over the terminated employee’s responsibilities and what information they should have access to. For example, if a sales rep is let go, a sales manager should review the rep’s pipleline and reassign leads or in progress deals to another employee. IT may need to be involved in this process if it requires moving data from one account to another or destroying electronic information if it is deemed worthless and should be disposed of.

It’s a mistake to think that identity theft is an Internet-only problem. The fact is that there are plenty of ways of offline ways for criminals to steal your identity, social security number, credit card information, or other sensitive information. The two most common are:

1. People can steal mail out of your mail box.
2. People can steal un-shredded documents from your trash.

One way you can significantly reduce your offline risk is to reduce or eliminate the amount of junk mail your receive, especially those pre-approved credit card offers.

Doing this manually is a lot of work, but I’ve started using a service called Green Dimes, that let’s you specify exactly which credit card companies or catalogs you want to stop receiving postal mail from. They have a complete list of every company that sends junk mail and you simply check off the ones you want to eliminate.

It’s an incredible service. There’s a free version and a paid one that only requires a one-time $20 fee.

Since we started using it at my house, we’ve eliminated 95% of the credit card and financial service offers we used to receive in the mail. Plus we stopped getting a lot of catalogs we don’t want anymore, which has reduced the amount of paper we recycle significantly.

Before we got Green Dimes, I used to shred all of this mail, but I couldn’t keep up with it and these offers piled up all over the house. Now we don’t even get them. I can’t tell you what a relief that is, and I know that no one else is intercepting them either.

Do you have trouble remembering every online password you have? I have hundreds that I use, just in my personal life, and that number is growing daily.

For a long time, I’ve tried to reuse the same few passwords on each site or application, just so I could remember them. But this weekend, I read a blog post from one of my friends where he describes how his wife, a professional security pro, got hacked doing this.

She had the bad luck to use one of her common passwords on a Chinese web site, where someone stole site her password and used it to log into another site she uses. They assumed her identity, and sent her husband and some of her colleagues a spam email message. If someone were to steal one of my common passwords like this, and they knew a little about my habits, they could get into many different services that I use, steal a lot of my personal data, and potentially damage my reputation.

This isn’t that far fetched. It could easily happen to you.

The morale here that you really need to have a different password at each site or commercial service you have an account at, you should use strong, unguessable passwords at each, and you need an automated, portable agent that you log into once that remembers all of these unique passwords and can automatically look up the right password and log into your services for you.

The good news is that Personal Password Agents are available commercially and they do a pretty good job of managing password overload for you. I started using one this weekend that seems to be working fairly well so far, called RoboForm.

RoboForm performs a number of very useful functions that have already vastly improved my password security discipline and have even increased my productivity.

1. RoboForm includes a strong password generator that I am using to replace the shared passwords that I currently use to login with at all of the online services I use. I’m creating a unique password for each service in order to eliminate the ability for anyone to steal a common password and log onto another one of my services.
2. RoboForm keeps a list of all of the services I use and automatically fills in the password form with the correct username and password combination when I switch between services, so I don’t have to remember all of these new passwords. That’s not so different from Firefox, except that this information is stored in an encrypted form on my computer and portable between the five or six computers I use every day.
3. The only password I have to remember is the one password that I need to login to RoboForm when I open my web browser and try to connect to a password-protected service.
4. RoboForm also helps automate form filling for credit card purchases and other forms and eliminates the ability for anyone to hack my computer and record the keyclicks I use when I normally fill out this kind of information online.

The version of RoboForm that I’m using is FREE, but I will upgrade to the PRO version which lets you store your passwords on a USB thumb drive so you can move them between computers. RoboForm is also available for mobile phones on Palm, Symbian, Windows Mobile, and Blackberry operating systems.

Here are some other commercial password management and form filling applications available online. I haven’t tried all these application yet, but if you do, please leave a comment describing their effectiveness and ease of use.

1. TraySafe
2. MySecurityVault Pro
3. Password Safe
4. TK8 Safe
5. Password Vault