- September 21, 2021
- Posted by: admin
- Category: Backup
Employee termination is a painful activity that needs to be handled with care. Threats to business data are not just external but can be from internal sources too. Incidents like breaches, malicious hacks, or data leakage tend to take prominent space in news headlines. But every organization suffers data loss due to insiders – which could many times be as severe or worse.
Organizations need to be particularly careful during employee termination when parting ways with employees. Employees who believe they are being terminated unfairly could hold a grudge and make attempts to retaliate while they still have access. The reason for such terminations may vary, but what matters is that the employee’s data is protected at all times.
But despite an employer’s best efforts, unfriendly employee exits can be tough and lead to unpredictable consequences. Disgruntlement or perceptions of unfair treatment can drive such employees to retaliate by taking passive-aggressive actions like:
1. Not returning their company asset (laptop etc.)
2. Returning the asset after having wiped all data
3. Deleting data in cloud accounts such as OneDrive or Exchange
There is also the matter of effectively dealing with the data that belongs to an ex-employee. Even after employee termination, it needs to be remain protected, retained for the right amount of time, and made available to the organization as required.
How effective Backups can help during an employee termination
In case of employee termination, a comprehensive data backup solution is one of the best defenses organizations can have in place. Having a reliable and regular data backup of employee data both of their devices, and of their cloud accounts is an excellent way to hedge against such undesirable behavior. But good backup solutions do more. Solutions like BluVault provide well-thought-out features specifically to handle employee termination.
BluVault offers a range of built-in features to close data protection gaps further during employee termination.
1. Backup Schedules and Frequency:- There are several proactive measures that an IT administrator can take during employee termination or when they are serving out their notice period. One approach is an on-demand forced full data backup from the device. Another could be to simply increase the frequency of backups for such employees – to avoid missing out on any deleted data. And not to forget, for some sensitive cases, perform these activities in non-interfering stealth mode.
BluVault offers this capability to the administrators through policies that can be configured to adjust the frequency of backups. Backups can be scheduled to run even several times a day if required.
2. Stealth mode backups:- It is also possible to turn on ‘stealth mode’ for BluVault’s endpoint agent. In stealth mode, BluVault doesn’t advertise its presence to the end-user but runs silently. The system tray icon is dispensed with, and it also removes any traces of itself out of Windows Programs & Features. The possibility that a disgruntled user serving employee termination might tamper with the endpoint agent, by trying to stop/exit the agent, or uninstall the software is vastly minimized.
3. Litigation Hold:- BluVault also has a built-in litigation hold feature, which is typically used in cases where there is a demand for information from an attorney or a judge. Once a user is placed in a policy with Litigation Hold turned ON, BluVault automatically suspends any policy-based data deletion – in other words, data retention becomes infinite, which means all backed up data is retained forever. The BluVault endpoint agent also begins to backup all folders on the endpoint system, as opposed to only those specified by the policy.
4. User blocking:- When an employee leaves the organization after employee termination, IT administrators would like to free up their backup license so it can be re-used for another user. But what if their data needs to be restored at a later date? BluVault allows administrators to preserve the user and device devices, as well as all backed up data even without a license. A license is required only at the time a restore is required.
To do this, the administrator can use the BluVault portal, go to the Users shortcut, select the user in question and simply ‘Block’ the user. If using BluVault in conjunction with Active Directory or Azure Active Directory for user provisioning, simply removing the user from the respective Active Directory or Azure Active Directory security group is all that is needed.
5. Data migration:- Data Migration is an extremely helpful feature when BluVault is set up to back up device data to an individually licensed storage allocation like OneDrive for Business. BluVault has the unique ability to backup end-user data to their respective OneDrive for Business storage allocation. However, when the employee leaves the organization, and their Microsoft 365 license expires, the business has about 30 days during which Microsoft allows the organization time to retrieve any data they require from the terminated account. If the BluVault backups are stored on OneDrive, it is important to ensure that those backups are relocated to a safe target for subsequent restores.
BluVault includes a neat feature called Data Migration which will move all backup data for a given user out of their OneDrive for Business account into a central OneDrive repository supplied by the organization. This process is irreversible once started and results not just in moving the backup data, but also updates all data pointers in BluVault’s meta-data catalog to refer to the new backup location.
In order to use the Data Migration feature, it is important the user is first in a Blocked state (as described in the previous section). Once this is done, the administrator can use the BluVault Portal, navigate to Settings -> Data Migration to use the feature.
6. Device reassignment:- Now, the user has left the organization, the username has been blocked in BluVault – so their devices and data are preserved. What if you wish to now access the data? One way is to simply assign back a user license temporarily to the blocked user so that a one-time data recovery or download can be accomplished.
But what if the organization wishes to keep the data preserved in BluValt, but provide access to that data to another employee in the organization? Perhaps the ex-employees supervisor, or someone who has replaced them in that position?
BluVault offers a simple solution. The BluVault administrator can simply transfer ownership of the backup data to an alternate user. This alternate user to whom the device is reassigned gets the options to view, access, and download/restore backed-up data from the device – just as the original user would have. This feature ensures backup data is available to multiple users at once while eliminating any impact on business operations due to employee separation or a prolonged leave of absence.
Device reassignment does not require an additional user license but is allowed for a limited number of users at a time (typically 10% of the total BluVault license count).
For a user’s device to be re-assigned, the user first needs to be in a Blocked state – as described above.
7. Administrative delete:- When an enterprise performs backups from a business laptop or desktop, it is possible that an employee’s personal data may also inadvertently get backed up. When (or after) an employee leaves an organization, it is possible that they ask for such data to be purged. Recent regulations focused on individual privacy (such as the GDPR) have empowered citizens/individuals with such rights as the “Right to be forgotten”.
It is therefore important for a business to be able to review and satisfy such requests. Unless a backup solution has been designed to keep user data insulated and allow such surgical removal – this could well prove to be an impossible task.
BluVault enables businesses to be prepared to manage such Right To Be Forgotten requests effectively and efficiently. BluVault’s Administrative Delete feature allows an administrator to navigate down into a device into folders, sub-folders, specific files, and even file versions – in order to selectively delete any personal data. All such surgical data removal operations through the Administrative Delete feature are permitted only by authorized administrators, and all actions are audit logged for compliance.
These are just a few thoughtful features that are built into BluVault to make employees termination process data-protection friendly. We are of the strong belief that enterprise-class backups should do much more than simply make second copies of your data – they should actually make an administrator’s job easier.