Featured Article : Employee Exit

When employees leave a business or organisation, there are many actions that need to be taken to maintain security. Here’s a summary of some of them in relation to the health and continuity of the business and to fulfil legal and stakeholder responsibilities.

Different Reasons, Same Actions

Members of organisations inevitably change over time. They may leave (e.g. to go to another job or move away) may be asked to leave, or many other reasons. For businesses or organisations to fulfil their responsibilities to themselves, their shareholders, customers, other employees, and data laws, and to allow them to act quickly when the time comes, it pays to have at least a (preferably, updated) checklist in place to ensure that security is maintained and weaknesses, threats, and disruption are minimised.

Potential Threats

Examples of the kinds of potential threats that an organisation may need to guard against on employee exit include:

– Damage, theft, and disruption – In addition to the risk of data theft, attacks on a company’s systems and network, which may have been facilitated by not having security measures or procedures in place for employees leaving/retiring, can cause costly and disruptive damage.

– Insider threat – One of the dangers of not managing the departure of an employee properly is that a business could then have an ‘insider threat’ (i.e. a former employee, contractor or partner with access rights and logins that still work). This could lead to private company business being leaked (possibly to competitors), industrial espionage, opportunities for extortion, access being gained to financial details, customers stolen, and more. A recent IBM study found that insider threats account for 60 percent of data breaches.

Examples

High profile examples of organisations that have suffered data breaches at the hands of ex-employees include:

– Broadcasting watchdog Ofcom, which suffered a large data breach in 2016, where a former employee downloaded around six years’ worth of third-party data before leaving for a new job at a major broadcaster. The data was then offered to the new broadcaster who informed Ofcom.

– Back in 2013, a disgruntled Morrison’s (ex) employee (IT Internal Auditor) Andrew Skelton copied the payroll data of 99,998 Morrison’s employees to his personal USB stick and then posted the data on a file-sharing website. This resulted in a Class Action lawsuit being launched against Morrison’s by over 5,000 employees, with Morrison’s being found “vicariously liable” for the breach.

Legal Responsibility

The examples above highlight one important reason for closing any potential holes in security on employee exit which is the legal responsibility under current data laws. The United Kingdom General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018 (an updated version of the DPA 1998) are the main legislative frameworks covering how a businesses or organisation in the UK should manage the protection and handling of data. Within these, the data controller (i.e., you and your company/organisation) hold the responsibility for data matters.

Protecting that data is important both to protect those whom the company holds data about, and to protect the company itself from legal penalties, damage to reputation and more.  As well as personal data, a business needs to ensure that other sensitive data such as financial records, intellectual property and details about company security controls are all protected.

Procedure

These threats and responsibilities demonstrate that businesses and organisations need to address them as part of due diligence. This can be done by developing a built-in company procedure when an employee leaves for whatever reason.

Checklist

This company procedure could be built around a checklist / a kind of security audit that takes the following into account:

– Emails are a window into company communications and operations and a place where sensitive data is exchanged and stored. It is also a common ‘vector’ for cyber-criminals.  With this in mind, managing the email aspects of security when an employee leaves/retires is vitally important.  Measures that can be taken include revoking access to company email, setting up auto-forwarding and out-of-office replies, while making sure that you mention who the new contact is. Also, it’s important to revoke access to/remove login credentials for other email programs used by the company to communicate with customers and other lists of stakeholders, for example via mass mailing programs with stored lists, such as Mailchimp.

– Revoking access to company systems and networks. Employees have login details and rights/permissions for company computer systems and networks. Access and logins for these should be revoked for the employee when they leave.

– CRMs provide access to all manner of data about the company, its customers, its other stakeholders, sales, communications and more. Login access should be revoked when an employee leaves.

– Collaborative Working Apps/Platforms and shared, cloud-based, remote working platforms (e.g. Teams or Slack) also contain direct access to company data. Make sure that a departing employee can no longer have access to these groups.

– If the departing employee has a personal voicemail message on the company phone, this also needs to be changed.

– A leaving employee will need to return all company devices, and this implies that a company should have procedures in place to keep a record of which company devices have been allocated to each employee.

– Retrieval of any backup/storage media (e.g. USBs) may also help to prevent some security threats.

– Although it is best to store all online documents in a shared company folder that you have control over (e.g. in OneDrive), it is possible that an employee has stored items in separate folders on their computer. Making sure that these are transferred to you or deleted when the employee leaves can help to maintain levels of security.

– Having a policy in place for the regular changing of passwords can work well anyway as a fail-safe but also, changing any passwords shared with multiple members of staff is an important measure to take when an employee leaves.

– If the departing employee was authorised to use company credit/debit cards, changing the PINs for those cards is another step that needs to be taken to maintain security with the company/organisation’s finances.

– Letting the company team/person responsible for IT security know that a person has left, particularly if the person left ‘under a cloud’, is another way that you can help to close security loopholes.

– Making sure that all company-related keys, pass cards, ID cards, parking passes, and any other similar items are retrieved is something that should be done before the ex-employee leaves the premises for the last time.

– If the employee has been issued with physical documents (e.g. a handbook) which contains information and data that could threaten company security, these need to be retrieved when the employee leaves.

– If the departing employee’s email address and extension feature on the website and/or is that employee is featured as being in the role that they are departing from, this needs to be removed from the website.  Also, check that company social media doesn’t indicate that the departed employee is still in their role (e.g. on LinkedIn and Facebook).  You may also wish to make sure that the ex-employee doesn’t feature in the business online estate (e.g. at the top of the website home page) or other prominent pages.

BYOD Threat

Where companies offer ‘Bring Your Own Device’ (BYOD) meaning that employees can bring in their personally owned laptops, tablets, and smartphones to work and use them to access company information, this could pose an additional level of threat on employee exit. This threat may be lessened where companies opt for different types of BYOD such as corporately owned/managed, personally enabled (COPE), choose your own device (CYOD), personally owned and partially enterprise managed or personally owned with managed container application.  

In any case, BYOD should be always accompanied by clear policies and guidance as part of effective management.

Ex Employee’s Legal Responsibilities

It should be remembered that, although the business / organisation has legal responsibilities to protect company data, the ex-employee is also subject to the law for their behaviour. This is of particular importance where an employee, who has dealt with the personal details of others in the course of their work, leaves or retires.  For example, the ICO prosecuted a charity worker who, without the knowledge of the data controller (Rochdale Connections Trust), sent emails from his work former email account (in February 2017) containing sensitive personal information of 183 people.  Also, a former Council schools admission department apprentice was found guilty of screen-shotting a spreadsheet that contained information about children and eligibility for free school meals and then sending it to a parent via Snapchat.

What Does This Mean For Your Business?

Having a regularly reviewed and updated procedure in place for the steps to take during an employee’s exit is an important part of due diligence, legal responsibility, responsibility to all stakeholders, and is a way for a company to protect itself from preventable threats in the future. This procedure, therefore, feeds into business security and business continuity and is also an argument for making sure that employees work within monitored and controlled company systems rules and procedures, thereby making it easier to close all loopholes and minimise threats on employee exit.

Tech Insight – What’s Happening About The HUGE Facebook Data Leak?

With Facebook having to inform more than a staggering 530 million users that they were exposed to a data breach in 2019, some criticism for the company about the breach has prompted some to ask just what is happening?

What Breach

It has been reported that in 2019, the ‘scraped’ details of 530m Facebook users were exposed on a hacker’s forum. The stolen dataset, including details from users in 106 countries, is reported to have included phone numbers, Facebook IDs, (full) names and birthdates, but not financial information, health information or passwords. This ‘old’ data is reported to have recently been made publicly available again in an unsecured database.

How?

According to Facebook, before 2019, a simple bug in its Contact Importer code allowed hackers to access part of an unprotected server in the company’s systems and to ‘scrape’ user profile data.

Found Online

The database that appeared to contain scraped details of the Facebook users was originally discovered online in September 2019, just one day after it was known to have been taken. At the time, it was reported that most of the data came from US users but that 18 million records were from UK users.

Blame

Facebook appears to place the blame on the ‘malicious actors’ and puts it down to the “adversarial relationship technology companies have with fraudsters who intentionally break platform policies to scrape internet services.” Facebook has made it clear that this story is not about a recent hack of its systems but rather is old news, and old data and that back in 2019, after the scraped dataset was posted online, Facebook made changes to the contact importer to stop the software from being used in future to imitate the app and upload a large set of phone numbers to see which ones matched Facebook users.

Criticism

With the trust-damaging Cambridge Analytica data still casting a shadow over Facebook, the re-surfacing of this scraped data online last weekend and Facebook’s apparent attitude to it has drawn a good deal of criticism including:

– An initial silence from Facebook after the Business Insider article highlighted the breach. For example, Ireland’s Data Protection Commission (DPC) saying that it had received no communication from Facebook over the weekend when the breach was announced.

– The fact that although Facebook may see this as old data, this vast quantity of data may still have a use for cybercriminals. For example, any stolen phone numbers that can be connected with email addresses could still be used to obtain an SMS code to login to their email account (SIM-swapping to redirect SMS-based codes to hackers’ devices). The stolen data may also be used for other disruptive activities such as spam calls.

– Facebook may not have notified users whose data had been stolen and may still be unlikely to.  There is no simple way for these users to tell if, and/or how seriously they have been affected, if their data has been passed on/sold on/used in other attacks. Users who may have had their details stolen could well have the same details as those 3 years ago, may not have changed any details and may, therefore be at risk of other attacks at any time.

– Criticisms of an apparent culture of impunity and a questionable attitude to customers data privacy and security at Facebook through its dismissal of the 533 million people’s data as being essentially old news that they couldn’t really do anything about, simply saying that it is now “publicly available”.

– Questions over whether, under GDPR, Facebook does still have a responsibility to inform users whose data has been stolen and criticism that Facebook should be doing more to respond to European regulators and not just American ones.

– That Facebook may have more antitrust questions to answer in Washington and that there now needs to be more transparency, accountability, and regulation of the activities and privacy/security measures taken by big social media companies, and that these companies must somehow be made to act more responsibly in several areas, including data protection.

– That the market dominance and apparent monopoly position by Facebook (it owns platforms Instagram and WhatsApp) has enabled these privacy and security issues to keep happening.

What Can You Do?

One of the few things that users can do to see if their details have been taken in this or other known leaks/attacks is to check on the HaveIBeenPwned website:  https://haveibeenpwned.com/

What Does This Mean For Your Business?

The staggering size of this breach coupled with what many have seen as an unsatisfactory response from Facebook, on top of the company’s history with data privacy and security (e.g. the Cambridge Analytica scandal) have seen the social media giant come back under the spotlight once again with many calling for greater accountability (particularly to European regulators).  This will, no doubt, be another blow to user trust and could fuel action in Washington, adding new momentum to the whole antitrust battle and what to do with a dominant social media giant to stop this kind of thing from happening.  For users, as individuals and those with business pages, and those users of Instagram and WhatsApp, it’s a case of not really knowing if their data has been stolen and sold on (apart from proactively checking on a website) and feeling relatively powerless in their relationship with the social media giant as regards their data privacy security, and the company’s apparent attitude to it.  Many may feel that pressure at state level, government questions, and tougher action from regulators may be the only real way to force changes in such a powerful company.

Tech News : Microsoft and LinkedIn’s New Features To Help UK Jobseekers

With the pandemic fuelling job losses, new features from Microsoft’s LinkedIn platform could provide some help to the UK’s 1.7 million unemployed.

The Challenge

Many of LinkedIn’s users may now be facing the considerable challenge of unemployment and/or trying to stand out to present their skills in a market where they may be very capable of fulfilling job roles but may not have all the formal qualifications and experience.

With this in mind, LinkedIn says that the four new tools it is launching are a way for users to bring their professional stories to life and “create a more expressive and inclusive profile”.

Cover Story

The first of the four new features is Cover Story, a feature that allows users to upload a video of themselves so that hiring managers can get a look at the user’s personality, communication skills and career goals. This tool has been introduced in response to figures from research conducted by Censuswide (in the US) on behalf of LinkedIn which showed that 76 percent of hiring managers believe seeing a pre-recorded video of a job seeker would be useful.  Cover Story may also be a useful opportunity for freelancers to talk about their services and attract new clients.

The presence of a Cover Story video on a person’s profile will be indicated by an orange ring around the Profile photo, and the video will auto-play silently within the photo frame until the profile visitor clicks on it.

Service Page

The second of the new tools is the ability for users to create a dedicated ‘Service Page’ directly from their LinkedIn profile. LinkedIn says that this could give users more “reach” to its global community of nearly 740 million members.  In essence, the Service page is another opportunity for LinkedIn members such as Freelancers, SMBs or jobseekers to showcase their skills.

Creator Mode

The new Creator Mode tool in the Profile dashboard allows anyone creating and publishing content via LinkedIn (e.g. posts, videos, articles, or comments) to engage a community and build a following in a similar way to some other social networks. For example, users can hashtag terms for their latest posts which moves their Featured and Activity sections to a prominent position on the top of their Profile and can change their “Connect” button to “Follow”. Also, for those offering live broadcasts on LinkedIn, their Profile background will show when the Live broadcast starts streaming, thereby helping to increase the visibility of the content. 

Career Coach

Finally, the LinkedIn-powered Career Coach app for Microsoft Teams has an AI-based skill identifier which helps users (students) to understand their goals, interests, and transferable skills and align their profile with current job market trends accordingly.  It also connects them to mentors and promotes skills, thereby potentially giving users a better chance of being successful in their job applications.

Apprenticeship Connector

Last month, in a partnership with GetMyFirstJob, Microsoft introduced The Microsoft Apprenticeship Connector which is aimed at simplifying the apprenticeship process by listing vacancies across Microsoft’s network of partners and customers. It is thought that this partnership could aid young jobseekers, help bridge the tech skills gap in the UK, and assist small businesses in particular to fill apprenticeship vacancies.

What Does This Mean For Your Business?

These new tools from Microsoft are designed to update the LinkedIn platform, which is known for its jobs connection, and align it better with the skills-based jobs market in a rapidly (digitally) transformed environment as countries like the UK start to come out of pandemic restrictions. These features may increase the relevance of the LinkedIn platform to employers and younger job seekers, help the platform move more into content, and help to tie Microsoft more closely within other partnerships and opportunities related to tackling the tech skills gap and promoting its services that can help with this. For users/members of LinkedIn (such as freelancers and small businesses) these features could also provide a way to showcase more of their skills, work and identity in a way that may be engaging enough to bring new opportunities and create a following and wider network that could also bring more business opportunities.

Tech News : Liquid Cooling To Maintain Microsoft’s Data Centres

Huge demands on Microsoft’s data centre servers, partly driven by a surge in Microsoft Teams user numbers has led to the tech giant opting for liquid-immersion cooling.

The Challenge

Microsoft has recognised that it has now come up against the slowdown of Moore’s Law as transistor widths have shrunk to atomic scales and are reaching a physical limit, whilst the demand for faster computer processors for high performance applications such as AI has accelerated. This has meant that more electric power is now being put through the small processors used in Microsoft’s data centres, thereby increasing the heat they produce.  According to Microsoft, this means that air cooling is no longer enough to prevent the chips from malfunctioning. The demands of a huge increase in the numbers of Teams users during lockdown and the need to maintain sustainable and energy efficient data centres have also contributed to Microsoft’s decision to try liquid cooling.

Two-Phase Immersion Cooling

Since heat transfer in liquids is more efficient than air, Microsoft’s new system of two-phase immersion cooling involves immersing servers in tanks filled with an engineered fluid (from 3M) which has dielectric properties (i.e. it is an effective insulator), thereby allowing the servers to operate normally while fully immersed in the fluid. The liquid boils at 122 degrees Fahrenheit (90 degrees lower than the boiling point of water) and this boiling effect, generated by the work the servers are doing, takes the heat away from the computer processors whilst the low-temperature boil enables the servers to operate continuously at full power without risk of failure due to overheating.

The second phase of this two-phase process refers to the vapour rising from the tanks making contact with a cooled condenser in the tank lid, thereby changing it back to liquid that rains back onto the immersed servers, creating a closed-loop cooling system.

The Result

Microsoft says that the result of it becoming the “first cloud provider that is running two-phase immersion cooling in a production environment” at its datacentre in Quincy should be the ability of the company to:

– Continue the Moore’s Law trend at the datacentre level.

– Reduce power consumption.  For example, Microsoft’s trial of using liquid two-phase immersion for cooling AI showed reduced power consumption for any given server by 5 to 15 per cent.

– Increased flexibility for the efficient management of cloud resources.

– Improved efficiency and sustainability.

– The fact that the system uses a specially developed cooling fluid, and not water, gives Microsoft the ability to meet its commitment to replenish more water than it consumes by the end of the decade.

What Does This Mean For Your Business?

If your business uses Microsoft’s cloud-based services, and particularly those which involve AI and/or Teams, this switch to a new cooling technology at datacentre level should mean smooth running services with less risk of potentially costly outages and disruption going forward. For Microsoft, this may give it an advantage over cloud company competitors in terms of capacity, reliability, and sustainability credentials.

Tech Tip – Free Ways to Share Photos

We all take lots of photos with our smartphones, so here is a selection of some of the best free places to share (and back up) photos.

– Google Photos. Just having a Gmail account gives access to this service you can share photos with family, friends, or teammates, create albums, and grant access to those who want to share photos.

– Apple Photos. This sorts your photos, displays them in grid format for easier browsing, stores them to iCloud for ease of access from an iOS device or Mac, and automatically tags your photos based on location and content.

– iCloud. This allows photos to be shared as email attachments in Photos on iCloud or using an iCloud Link. To share photos with others via attachments from iCloud email, select the photos, tap Share > Email (attachments larger than 20 MB are replaced with an iCloud Link). See https://www.icloud.com/.

– Dropbox.  This popular cloud-based file-sharing, backup solution allows the creation of shared folders and shared links can be sent by email, social media, or instant message. See https://www.dropbox.com/.

– WeTransfer.  This is a fast, free, free file-sharing platform that requires no registration that allows the user to share photos across all devices provided they are compatible with web-based apps. Users can also choose to pay for a premium plan for password protection, 1TB of storage, and an increased transfer limit (to 20 MB). See https://wetransfer.com/.

– Flickr. This photo-sharing platform is user-friendly and has easy-to-use menus, and photo editing tools. Flickr also offers other features like auto-backups, an ad-free experience, unlimited storage, and photo stats. See https://www.flickr.com/.

– AirDrop.  This platform allows photos to be shared/sent between Apple devices (iPhone, iPad, or Mac).  The service doesn’t require a special account and sharing is particularly easy if both the sender and recipient are on a Wi-Fi network, and both have AirDrop and Bluetooth enabled.

– Instagram. Yes, it’s a social media app but if you often share photos, and your intended recipients already follow you, it’s a good free option.  It also has photo editing options. See https://www.instagram.com/.

– Cluster.  This free, private group photo sharing app can be accessed via a web browser or mobile app, users can make as many albums as they like, and can invite and connect with others. See https://cluster.co/.