BYOD: My Employee Resigned – And His Smartphone Is Full of Business Data

Depositphotos_30145341_xs for 1-14-2014 postRecent research from British law firm EMW paints a distressing picture of employee data theft. EMW found that cloud computing makes it easier for employees to take enterprise data when they leave, and that court cases over theft of business information increased 56 percent from 2011 to 2012. Adopting “bring your own device”, or BYOD,  in your business can leave you vulnerable to employee data theft when staff move on. Accept this, then take steps to minimize your risk.

What’s at Stake if an Employee Walks

When an employee leaves, he carries with him knowledge of your products, services and workflow. Employee laptops and phones will have enterprise and client emails, strategic information, work documents and other data. Since employees may leave for a variety of reasons, every policy should take this into account. Employees who transfer to another office or take a medical leave may need to keep business information, while those who resign, are laid off, or are fired should not keep data.

In a worst case scenario, an employee could have transferred sensitive information to personal cloud storage or retain confidential emails in a personal smartphone. The former employee could use this information to directly compete with your business, log into the network over VPN to delete copies of important information or attempt to lure clients to a competing firm.

Protecting Business Assets

An effective BYOD policy can prevent business data theft and other related problems. A policy should spell out what type of work data is allowed on smartphones (client emails yes, database entries no), which apps are allowed or prohibited, and what level of control your IT department will have over employee phones.

Some device manufacturers offer a remote wipe feature that allows IT staff to empty a user phone if it is lost or staff leave. If you plan to use the remote wipe feature, your BYOD policy should include clear and specific language on when a phone could be remotely wiped and what type of data will disappear. By remotely wiping all employee devices after staff leave, your business data remains protected. Your policy should also discuss device security and updating protocols. If staff must bring a device to IT every 4 months for a security check, IT can then screen devices for red-flag apps or content. Also make sure to spell out exactly what type of devices will be allowed on the plan. Blackberry offers an MDM service that manages iOS, Android and BlackBerry devices all at once, saving time, money and hassle.

DPSciences recommends that all employees sign the BYOD agreement before they can bring their own device to work and that the agreement spells out what happens when they leave the company. This way, staff know what they have agreed to and what they can expect if they leave.

To protect business data from all employees, use an authentication tool that prevents users from logging into sensitive assets from a mobile device. If no employees can log into the central database from a “BYOD”-device, none can steal database information.

At this time, also review other policies that affect employees who leave. If you use non-compete, non-disclosure or confidentiality agreements, you can potentially legally sue employees who steal data for violating these agreements. If you don’t use any of these, BYOD may be the nudge you’ve been waiting for.

  • Gene says:

    If the employee is expected to have a smartphone, can’t the company just pay for it and ask for it when the employee leaves? Seems like a simple enough solution to me. 🙂