When employees leave (or are asked to leave) or retire from businesses and organisations, those entities still have a legal responsibility to ensure that security levels are maintained with regards to data security.

Laws For Data

The General Data Protection Regulation (GDPR) and the Data Protection Act 1998 are the main legislative frameworks covering how a businesses or organisation in the UK should manage the protection and handling of data. Within these, the data controller (i.e. you and your company/organisation) hold the responsibility for data matters.

Protecting that data is vitally important both to protect those who the company holds data about, and to protect the company itself from legal penalties, damage to reputation and more.  As well as personal data, your business needs to ensure that other sensitive data such as financial records, intellectual property and details about company security controls are all protected.

Threats

In addition to legal responsibilities for data protection, businesses must also address other potential threats as part of due diligence and hopefully, of a built-in company procedure when an employee leaves for whatever reason. For example:

– Damage and Disruption – In addition to the risk of data theft, attacks on a company’s systems and network, which may have been facilitated by not having security measures or procedures in place for employees leaving/retiring, can cause costly and disruptive damage and disruption.

– Insider Threat – One of the dangers of not managing the departure of an employee properly is that your business could then have an ‘insider threat’ i.e. a former employee, contractor or partner with access rights and logins that still work.

Security and Employee Exit

Clearly, there are many areas to be covered to manage employee exit from a security perspective.  Here are some pointers for managing the security aspects of an employee’s departure:

– Email is a window into company communications and operations and a place where sensitive data is exchanged and stored. It is also a common ‘way in’ for cyber-criminals.  With this in mind, managing the email aspects of security when an employee leaves/retires is vitally important.  Measures that can be taken include revoking access to company email, setting up auto-forwarding and out-of-office replies, while making sure that you mention who the new contact is. Also, it’s important to revoke access to/remove login credentials for other email programs used by the company to communicate with customers and other lists of stakeholders e.g. mass mailing programs with stored lists, such as Mailchimp.

– Company Systems and Networks. Employees have login details and rights/permissions for company computer systems and networks.  These should be revoked for the employee when they leave.

– CRMs provide access to all manner of data about the company, its customers, its other stakeholders, sales, communications and more. Login access should be revoked when an employee leaves.

– Collaborative Working Apps/Platforms and shared, cloud-based, remote working platforms e.g. Teams or Slack also contain direct access to company data. Make sure that a departing employee can no longer have access to these groups.

– If the departing employee has a personal voicemail message on the company phone, this will need to be changed.

– A leaving employee will need to return all company devices, and this implies that a company should have procedures in place to keep a record of which company devices have been allocated to each employee.

– Retrieval of any backup/storage media e.g. USBs may also help to prevent some security threats.

– Although it is best to store all online documents in a shared company folder that you have control over e.g. in OneDrive, it is possible that an employee has stored items in separate folders on their computer. Making sure that these are transferred to you or deleted when the employee leaves can help to maintain levels of security.

– Having a policy in place for the regular changing of passwords can work well anyway as a fail-safe but also, changing any passwords shared with multiple members of staff is an important measure to take when an employee leaves.

– If the departing employee was authorised to use company credit/debitcards, changing the PINs for those cards is another step that needs to be taken to maintain security with the company/organisation’s finances.

– Letting the company team/person responsible for IT security know that a person has left, particularly if the person left ‘under a cloud’, is another way that you can help to close security loopholes.

– Making sure that all company-related keys, pass cards, ID cards, parking passes, and any other similar items are retrieved is something that should be done before the ex-employee leaves the premises for the last time.

– If the employee has been issued with physical documents (e.g. a handbook) that contains information and data that could threaten company security, these need to be retrieved when the employee leaves.

– If the departing employee’s email address and extension feature on the website and/or is that employee is featured as being in the role that they are departing from, this needs to be removed from the website.  Also, check that company social media doesn’t indicate that the departed employee is still in their role e.g. on LinkedIn and Facebook.  You may also wish to make sure that the ex-employee doesn’t feature in the business online estate e.g. at the top of the website home page or other prominent pages.

Responsibility of the Employee

It should not be forgotten that employees who leave or retire from their jobs also have a legal responsibility as regards not taking company data with them.  A case in point, from 2019, led to the Information Commissioner’s Office (ICO) to warn those retiring or taking a new job that under the Data Protection Act 2018, employees can face regulatory action if they are found to have retained information collected as part of their previous employment.  The case which led to the warning from the ICO related to two (former) police officers who were investigated under previous Data Protection Act 1998 legislation after it was alleged that they had retained personal data in the form of notebooks that they had used while serving.

The warning in the ICO’s statement was that the Data Protection Act 1998 has since been strengthened through the Data Protection Act 2018, to include a new element of “knowingly or recklessly retaining personal data” without the consent of the data controller (see section 170 of the DPA 2018).

The only exceptions to this new part of the new Act are when it is necessary for the purposes of preventing or detecting crime, is required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or whether it is justified as being in the public interest.

ICO Warning – Retiring or Taking a New Job

The ICO has also warned that anyone who deals with the personal details of others in the course of their work, private or public sector, should take note of this update to the law, especially when employees are retiring or taking on a new job because those leaving or retiring can now be held responsible if the breach of personal data from their previous employer can be traced to their individual actions.

Prosecution Example

Examples of where the ICO has prosecuted for this type of breach of the law include a charity worker who, without the knowledge of the data controller (Rochdale Connections Trust), sent emails from his work email account (in February 2017) containing sensitive personal information of 183 people.  Also, a former Council schools admission department apprentice was found guilty of screen-shotting a spreadsheet that contained information about children and eligibility for free school meals and then sending it to a parent via Snapchat.

Moving Forwards

Maintaining the company/organisation’s security (physical, data and financial), are vital to its survival.  Making sure that procedures are in place to cover security in the event of ‘employee exit’ could save the company from preventable threats in the future.

With many people working from home due to coronavirus, research by Check Point indicates that cyber-criminals may be targeting the video conferencing app ‘Zoom’.

Domains

Cybersecurity company ‘Check Point’ reports witnessing a major increase in new domain registrations in the last few weeks where the domain name includes the word ‘Zoom’.  According to a recent report on Check Point’s blog, more than 1700 new domains have been registered since the beginning of the year with 25 per cent of them being registered over the past week. Check Point’s research indicates that 4 per cent of these recently registered domains have “suspicious characteristics”, such as the word ‘Zoom’.

Concern In The U.S.

The huge rise in Zoom’s user numbers, particularly in the U.S. has also led New York’s Attorney General, Letitia James, to ask Zoom whether it has reviewed its security measures recently, and to suggest to Zoom that it may have been relatively slow at addressing issues in the past.

Not Just Zoom

Check Point has warned that Zoom is not the only app that’s being targeted at the moment as new phishing websites have been launched to pass themselves off as every leading communications application.  For example, the official classroom.google.com website has been impersonated by googloclassroom.com and googieclassroom.com.

Malicious Files Too

Check Point also reports detecting malicious files with names related to the popular apps and platforms being used by remote workers during the coronavirus lockdown.  For example, malicious file names observed include zoom-us-zoom_##########.exe” and “microsoft-teams_V#mu#D_##########.exe” (# is used here to represent digits). Once these files are run, InstallCore PUA is loaded onto the victim’s computer.  InstallCore PUA is a program that can be used by cyber-criminals to install other malicious programs on a victim’s computer.

Suggestions

Some ways that users can protect their computers/devices, networks and businesses from these types of threats, as suggested by Check Point, include being extra cautious with emails and files from unfamiliar senders, not opening attachments or clicking on links in emails (phishing scams), and by paying close attention to the spelling of domains, email addresses and spelling errors in emails/on websites.  Check Point also suggests Googling the company you’re looking for to find their official website rather than just clicking on a link in an email, which could redirect to a fake (phishing) site.

What Does This Mean For Your Business?

This research highlights how cyber-criminals are always quick to capitalise on situations where people have been adversely affected by unusual events and where they know people are in unfamiliar territory.  In this case, people are also divided geographically and are trying to cope with many situations at the same time, may be a little distracted, and may be less vigilant than normal.

The message to businesses is that the evidence from security companies that are tracking the behaviour of cyber-criminals is that extra vigilance is now needed and that all employees need to be very careful, particularly in how they deal with emails from unknown sources, or from apparently known sources offering convincing reasons and incentives to click on links or download files.

Google has warned businesses that are tempted to disable or temporarily close their online business website during the coronavirus outbreak not to do so, as this could have a lasting, detrimental effect on its (SEO) search engine  rankings.

Why Disable or Close Down The Website?

The coronavirus outbreak has meant reduced orders for many businesses but has also left many businesses unable to fulfil orders, or in a position where many products are out of stock.  Where the website for these businesses is the online shop, this has led to some business owners deciding to disable or close the website temporarily.

Bad Idea

Although this may sound like a reasonable idea from a practical business perspective, Google has warned that doing so could adversely affect the website’s search engine position in a significant way, even after it has been restored.  Google has advised that an “extreme” measure like removing a site completely from its Google’s index is “a significant change that can take quite some time to recover from”.

Google has also said that there is no fixed time for a recovery from a complete website removal and that it has no mechanism to speed a recovery of a website in its search engine rankings after that site has been taken down and then put back up.

Lose Access To Information

Taking your website down temporarily will also mean that Google’s Search Console verification will fail, you will no longer have access to information about your business in Search, and you will lose potentially valuable data from the Aggregate reports in Search Console (as pages are dropped from Google’s index).

Other Reasons

In addition to damaging the position of a website in Google’s search engine rankings, Google suggests that other reasons why temporarily taking down a website would be a bad idea for a business include:

– Confusing customers.  Customers won’t know what’s happening and may even assume that that business has closed. Also, if Customers/potential customers can’t find first-hand details about you and your products/services and are forced to look for third-party information about your business, this may not be as correct or comprehensive.

– Making it more difficult to gain ground in future.  Restoring a website after a break means having to wait for re-indexing.

Better To Limit Your Website’s Functionality

Google advises that it is better, and less risky (in terms of losing rankings) to simply limit the functionality of your website rather than totally disabling the website without following Google’s best practice advice.  Limiting functionality while retaining search visibility can include disabling the cart functionality, displaying a banner or pop-up to explain the situation to customers, updating structured data and local business structured data, checking the Merchant Centre feed, and telling Google about the updates.  This could mean using the Search Console to ask Google to re-crawl a limited number of pages or using sitemaps to ask Google to re-crawl a larger number of pages e.g. product pages.

Other Advice

Google has issued advice about the proper procedure for situations where businesses feel that they need to disable their website for e.g. a couple of days. See: https://developers.google.com/search/docs/guides/pause-online-business#best-practices-disabling-site .

What Does This Mean For Your Business?

Clearly, disabling functionality while retaining the kind of search engine visibility that it has taken a lot of time (and money) to build up, and is vital to the life of the business is preferable, in most cases, to completely disabling a website without following best practice advice.

If you feel that you must take a site down for a short period, it is certainly worth following Google’s best practice advice when doing so (see the ‘Other Advice’ paragraph above for the link).

The UK government has announced that the UK’s big ISP’s are removing caps on data for fixed-line broadband during the coronavirus pandemic.

Fixed-Line Broadband

The joint announcement by the companies, government and Ofcom will affect fixed-line broadband packages, many of which (apart from discounted packages for people on benefits) already offer unlimited data.

Which Companies?

The welcome move, which has been agreed between the government and ISPs/telecoms companies and is effective immediately, is in addition to any deals that the ISPs have already announced and applies to Virgin Media, Sky, O2, BT (Openreach and EE), TalkTalk, Three and Vodafone. Also removing data caps are Gigaclear, Hyperopic and Kcom (but not for Kcom’s gaming, streaming and downloading media).

More Help

The agreement between the government and the ISPs also includes other helpful measures such as help for those customers struggling to pay bills as a result of the pandemic, moving vulnerable customers to the front of the queue for repairs, and improving mobile and landline package deals.

The government hopes that the deal agreed with the communications companies will help to support and protecting vulnerable customers and older people as well as helping the UK communications network cope with the extra demand, and help people stay connected while staying at home. This, in turn, will help businesses whose employees are working at home, and families who are also likely to need extra capacity.

Welcome, But More Detail Required

Although the deal has been generally welcomed, some have criticised the announcement has lacking detail.

Vodafone Helping The Vulnerable

Last week, Vodafone announced that it is offering 30-days free access to unlimited mobile data for half a million of its Pay Monthly customers as well as upgraded the contracts for those who are categorised as vulnerable. Vodafone is informing eligible customers by text.

Tips From Ofcom

Ofcom’s website offers some general tips on how to ‘stay Connected during the coronavirus’ on its website here: https://www.ofcom.org.uk/phones-telecoms-and-internet/advice-for-consumers/stay-connected

What Does This Mean For Your Business?

Even though many fixed-line broadband packages already offer unlimited data, this is still likely to be a welcome and helpful development both for those working from home and the businesses they work for. Also, the deal is likely to be helpful for families and individuals simply using more data for entertainment while sitting-out coronavirus restrictions. It is also good that vulnerable people have also been considered in the government/Ofcom/ISP deal, and the fact that it is effective immediately.

The criticism, so far, is that despite the announcement, which was widely reported, there hasn’t been much more detail. This may be understandable, however, given that there is a global crisis and that everyone in the UK is currently living under restrictions which are undoubtedly affecting the normal flow of communications in many businesses and organisations.

Microsoft’s collaborative working platform ‘Teams’ is reported to have seen a massive 12 million user boost in one week as a result of remote-working through the coronavirus outbreak, and through Microsoft making the platform generally available through Office 365 from March 14.

What Is Teams?

Teams, announced in November 2016 and launched by Microsoft in 2017, is a platform designed to help collaborative working and combines features such as workplace chat, meetings, notes, and attachments. Described by Microsoft as a “complete chat and online meetings solution”, it normally integrates with the company’s Office 365 subscription office productivity suite. In July 2018, Microsoft introduced a free, basic features version of Teams which did not require an Office 365 account, in order to increase user numbers and tempt users away from competitor ‘Slack’.

Microsoft Teams is also the replacement for Skype for Business Online, the support for which will end on 31 July 2021, and all-new Microsoft 365 customers have been getting Microsoft Teams by default from 1 September 2019.

March 14

Microsoft Corp. announced on March 14 that Microsoft Teams would be generally available in Office 365 for business customers in 181 markets and 19 languages.

Increased To 44 Million Users

The move to make Teams generally available to businesses with Office 365, coupled with a mass move to remote working as a result of COVID-19 has resulted in 12 million new users joining the platform in a week, bringing users up from 32 million on 11 March to 44 million users a week later.  The number is likely to have increased significantly again since 18 March.

What Does Teams Offer?

Microsoft Teams offers threaded chat capabilities which Microsoft describes as “a modern conversations experience”, and built-in Office 365 apps like Word, Excel, PowerPoint, OneNote, SharePoint and Power BI.  Also, Teams offers users ad-hoc (and scheduled) voice and video meetings and has security and compliance capabilities built-in as it supports global standards, including SOC 1, SOC 2, EU Model Clauses, ISO27001 and HIPAA. Users are also able to benefit from the fact that workspaces can be customised for each team using tabs, connectors and bots from third-party partners and Microsoft tools e.g. Microsoft Planner and Visual Studio Team Services. Microsoft says that more than 150 integrations are available or coming soon to Teams.

New Features

Microsoft reports that it has added more than 100 new features to Teams since November 2019.  These include an enhanced meeting experience (with scheduling), mobile audio calling, video calling on Android (coming soon to iOS), and email integration.  Teams has also benefited from improvements to accessibility with support for screen readers, high contrast and keyboard-only navigation.

Walkie-Talkie Phone

In January, Microsoft announced that it was adding a “push-to-talk experience” to Teams that turns employee or company-owned smartphones and tablets into walkie-talkies.  The Walkie Talkie feature, which can be accessed in private preview in the first half of this year and will be available in the Teams mobile app, offers clear, instant and secure voice communication over the cloud.

Competition

There are, of course, other services in competition with Microsoft Teams. Slack, for example, is a cloud-based set of proprietary team collaboration tools and services.  Slack enables users (communities, groups, or teams) to join through a URL or invitation sent by a team admin or owner.  Although Slack was intended to be an organisational communication tool, it has morphed into a community platform i.e. it is a business technology that has crossed over into personal use.

That said, Slack reported in October last year that it had 12 million daily active users, which was a 2 million increase since January 2019.

Slack has stickiness and strong user engagement which help to attract businesses that want to get into using workstream collaboration software but, it faces challenges such as convincing big businesses that it is not just a chat app and that it is a worthy, paid-for alternative to its more well-known competitors like Microsoft’s Teams.

Like Teams, Slack has just introduced new features and has experienced a surge of growth in just over a month.

Another competitor to Microsoft’s Teams is Zoom, which is a platform for video and audio conferencing, chat, and webinars that is often used alongside Google’s G Suite and Slack.  It has been reported that Zoom is now top of the free downloaded apps in Apple’s app store, and Learnbonds.com reports that downloads for Zoom increased by 1,270 per cent between February 22 and March 22.

Real-Life Example – Teams

A real-life example from Microsoft of how Teams is being put to good use is by bicycle and cycling gear company Trek Bicycle.  Microsoft reports how Teams has become the project hub for the company where all staff know where to find the latest documents, notes, tasks relating to team conversations thereby making Teams a central part of the company’s “get-things-done-fast culture.”

Looking Forward

Many businesses are already using and gaining advantages from the speed and scope of communication, project context, and convenience of a cloud-based, accessible hub offered by collaborative working platforms like Teams.  The decision to make Teams generally available with Office 365 for business can only make the platform more popular and the need for companies to quickly set-up effective remote working has stimulated the market for these services and given users a crash-course in and a strong reminder of their strengths and benefits.

The hope by Microsoft and other collaborative working platform providers is that companies will go on using the platforms long after they technically need to in order to deal with COVID19 lockdown and that they will decide to use them going forward to keep improving the flexibility and productivity of their businesses, compete with other companies that are getting the best from them, and guard against excessive damage to the business from any future lockdown situations.