In response to the question “Should you secure your employee’s hardware?”, the answer is always, “Well, yes, of course!” But it is also true that the devices used by employees – computers, laptops, Blackberries, iPhones, etc. – are usually not as secure as they should be. Many employees can, and do, leave their work every day with their employer’s information stowed in a briefcase or bag, and the employer has no idea and no ability to wipe out that data if the device is stolen or the employee terminated.
There are some simple things that can be done to prevent data from walking out the door.
- Have your employees password protect every device they use for work, so that if it is lost, it cannot be opened easily. Having a security manual or policy telling employees how to do this can be helpful.
- Disable your employees’ ability to put things onto a thumb drive. I know this is a very unpopular position. But putting data on a thumb drive is a very easy way for someone to take your data, such as customer lists or other things you really want to keep private.
- If you can, set your computers and other devices up in a way so that they can be wiped remotely. A great example is the iPhone – it can be set up to be wiped if stolen.
- Make sure that every piece of hardware is collected when an employee leaves a company, and document what is done with it as part of the exit interview. It is amazing, in this day and age, how much hardware goes out the door. And how often counsel has to go and retrieve it when litigation is filed.
- Ask your employees when they leave the company if they have any data on their home computer. If they do, you need to have a plan for dealing with that data so you can comply with any records retention policies you may have.
- If someone is allowed to keep hardware after they leave the company (such as a Blackberry), make sure it is wiped of all company information. But, again, be mindful of any obligations that may exist because of a legal hold or records retention policy at your company – if necessary, back the data up on your system before wiping the device.
“This is all well and good,” you say, “but how can I get this to the top of my [boss’, general counsel’s, CIO’s, CEO’s] priority list?”
- Tell them how much they want to keep their information from their competitors.
- Tell them how important it is to protect your trade secrets. It is not a good thing if your lawyer has to argue, “Well, the information is a trade secret, but we had no procedures in place to make sure it did not leave with the employee.”
- Tell them how expensive it is to pay lawyers to track data down if litigation is filed.
- Tell them how expensive it is to replace hardware.
- Tell them how important it is to respect privacy rules and laws – how can you say, for example, that you are protecting your client’s information if you let it walk out the door with a terminated employee?
Make sure your employees’ devices are secure, and keep checking on this as technologies change. You will be glad you did!