It’s no secret that this is a world where cyberattacks and data theft have become the norm. Construction companies can never be too careful in protecting their data from outside hackers, but few realize that sometimes there’s an even bigger threat much closer to them: their departing employees.

An astounding 87 percent of employees who leave a company take with them data they created on the job, and 28 percent steal data created by others, as documented in a survey by Biscom. To make matters worse, one in five employees who leaves a job uploads sensitive and confidential data to an external cloud service, specifically with the intention of sharing it with others, according to a survey conducted by Osterman Research. This stolen and shared data includes presentations, strategy documents, customer lists, proprietary calculations and intellectual property.

The truth is that many departing employees will likely attempt to steal company data. Their reasoning may be for competitive or financial advantage, or simply to keep their own copy and share the information with one or two others. Regardless of the intentions, there are proactive steps to take to avoid the potential fallout.

Inventory Data

Before even beginning to protect company data, it is essential to know exactly what data the company has and where it can be found. This involves a thorough audit of company files, which may include in-depth questionnaires that each person or department can complete. The goal is to create a data “map” that outlines what data is where, which data is the most confidential, who has access to what and where data is stored.

Establish Protocols

Create and implement policies to ensure data management will be handled consistently and correctly. That can mean establishing employee access levels to sensitive material that are viewable strictly on a need-to-know basis based on the employee’s role and function. Company policies should also explain how personal devices will be handled – if company email can be accessed on someone’s smartphone, for example – and will make it clear that the company has the discretion to remotely wipe the data off any outside devices. Additionally, include confidentiality provisions about the ownership of sensitive, confidential and trade secret data in employment contracts. These data management protocols can be part of employee onboarding, which should include the employee signing a document stating that they have read the policies and agree to abide by them. Protocols should also be reviewed regularly with the team to ensure everyone remembers what is expected, understands that the company owns the data and treats all files and devices consistently.

Set Up Security Measures

If a two-factor authentication hasn’t already been set up, that is a relatively easy thing to implement to increase security. It’s also smart to encrypt sensitive data, which isn’t as expensive as it may sound: The average cost of fully encrypting data is $235 per computer, while the average amount lost due to data exposure is $4,650 per device, according to the Ponemon Institute. Set up a virtual private network (VPN) so remote workers can safely access the network. Also monitor the network and any device with access to the organization’s data, and explain the company’s intention and right to monitor in company data management policies.

Prepare for an Employee Departure

With the above steps in place, now it’s time to secure data when an employee resigns or is let go. To best minimize the risk of data theft and protect sensitive data, it’s helpful to have a checklist, which should include the following steps:

• obtain employees’ company-supplied devices, including computers, phones, external hard drives, thumb drives and backup discs;
• analyze any personal devices that employees have access to company-related files and remove data or wipe devices as needed;
• retrieve employees’ company credit cards, access cards, building keys and parking tags;
• disable employees’ access to all networks and systems, phones and voicemail, clouds and CRM platforms;
• remind employees of the agreement they signed regarding the confidentiality of sensitive information, and have them sign an additional document stating they have returned all company data;
• determine the risk of a data leak by asking employees about future plans and employment; and
• ensure managers are trained on proper data management and up to date on the concerns when an employee leaves.

Make a Forensically Sound Copy ASAP

Immediately after retrieving all of the departing employee’s devices, a licensed or certified vendor should make a forensic copy of the computer’s hard drive. This process, known as “imaging,” identically replicates the device’s storage, going much further than a traditional IT backup. Imaging keeps all of the device’s data and metadata intact, while copying active files as well as deleted and fragmented files. Imaging should also include hash-verification and logging of password-protected and encrypted files. With the help of a write-blocker – a read-only hardware device that allows the vendor to acquire information on a hard drive without the possibility of accidentally damaging the contents – imaging should be completed on all departing employees’ devices and encompass all platforms, including emails, databases, Word files, games, messaging apps, browser histories, social media networks and cloud platforms.

Those images will preserve the data, and duplicate images can be created for forensic investigation if needed. If theft of company data is suspected, the forensics team can use the image copy to search for unusual activity such as:

• a high volume of copied files, particularly within two weeks of the employee’s last day – including the kind of files that were copied and what devices had access;
• files that shouldn’t exist on a specific device, such as proprietary customer lists from the company’s CRM downloaded to the computer or CAD files without having the CAD program;
• access and activity at unusual times, such as after hours or on a weekend or holiday;
• a noticeable increase in outgoing emails; and
• software that was recently added or deleted – especially one that could wipe the hard drive.

The forensic team may also be able to recover data that was deleted or hidden.

If suspicious activity after completing an investigation is discovered, there are two possible outcomes. Oftentimes, the accused employee may simply return the stolen files when confronted, removing the need to further pursue the situation. However, other times the employee will not admit to the theft or will not return the data, which may lead to litigation. In that case, the data may be handed over to an ediscovery team to be collected, analyzed, filtered, reviewed and produced for the court.

Recently, Tesla reported that an ex-employee stole and leaked several gigabytes worth of data to multiple third parties including news outlets, took pictures and videos of Tesla’s manufacturing systems and tried to recruit employees to help him get this information out of the company. This situation resulted in Tesla suffering major losses in business and profits as well as damage to its reputation.

Don’t let that happen.

Cybersecurity involves more than guarding against outside hackers or malware. Those will always be threats, unfortunately, but internal personnel can do even more harm because they possess valuable knowledge about company data, such as which files are where and what they contain. By being proactive, working quickly and employing a forensic team, a company can better recognize threats and protect company data.