Regardless of the reason for the departure, when an employee leaves a company it will have a considerable impact. And, dealing with this loss involves much more than simply hiring a suitable replacement.
Millennials – those born between the early 1980s and the early 2000s – broke through as the majority workforce in the U.S in 2015, and are altogether less likely to stay at a single job or company for elongated periods of time. According to this survey of over 3,000 employees conducted in November and December of 2014 – 30% of respondents regularly searched for new jobs, and 23% of employees aged 18-34 expect to have a new job by the end of the year.
The hard truth of it is, employees are going to leave your company. It’s inevitable, and it’s something every company has to deal with. Of course, you should do all that you can to retain good employees – direct replacement costs can reach as high as 50-60% of an employee’s annual salary.
Aside from the financial issues, the security of your company and its data can also be at risk when employees leave. This issue, however, is something that can be prevented, and yet is an area many companies are uneducated in. In the rest of this post, we’ll discuss some of the security implications when SharePoint users leave your organization, and the procedures you can put in place to prevent damage and risk.
The Dangers of Sensitive Content
When SharePoint users leave an environment, the content they have generated needs to be dealt with correctly to ensure it doesn't breach any data management regulations. A 2013 study by the Ponemon Institute found that half of surveyed employees who lost a job in the past year had kept hold of confidential information, and around 40% planned to use intellectual property in their new jobs.
These statistics may paint these ex-employees in a bad light, but when you consider that 68% of respondents said their previous employers didn’t take any steps to ensure information wouldn't be taken, we can see there is an overall lack of know-how on how to deal with sensitive content without a clear author.
When someone leaves your organization – no matter how long they’ve been there or how senior their role – you need to ensure that you secure any confidential files and data related to that user – tracking who is accessing it and where it might be going.
User Profiles and MySites
Each SharePoint user will have their own profile containing detailed information regarding themselves and their organizational role. Each profile organizes and displays all of the properties related to that user – social tags, documents etc. – to keep users informed on what happens within their company.
When this user is no longer active, however, this information needs to be addressed and dealt with correctly. The User Profile service application can be managed by an individual administrator, or a series of admins that are in control of different areas of the application (MySites, Social tags etc.).
Microsoft has a detailed description of how profiles are deleted in both SharePoint Online and OneDrive for Business. The process begins once a work or school account is deleted from the Azure Active Directory (AD); it’s a detailed process that hinges on the MySite Clean Up Timer Job – the ins-and-outs of which can be found here. But we’ll give you the essence of the process:
When a SharePoint user is deleted from Azure AD, they'll be missing from subsequent user profile sync but their personal MySite will remain. When SharePoint discovers the user profile as missing, the following will occur when the MySite Clean Up Timer Job is run:
- The manager listed on the user’s profile (as imported from AD) will be made the secondary Site Collection Administrator of the personal MySite by default.
- The manager will be sent an email with a link to the MySite.
- The profile will then be deleted immediately.
- 14 days later, their personal MySite will be deleted automatically. This allows time for the manager to retrieve any content stored on the MySite before deletion.
Pro Tip: There's no way to change the 14-day deletion timing period – it’s hard-wired into the MySite Cleanup Timer Job. For changes to be made you must replace the MySite Cleanup Timer Job with a custom-built version.
By taking control of the user profile, this ensures that any important or sensitive content is identified and can be stored accordingly. However, this first requires the profile to be deleted from Azure AD, which is a manual process. As the cliché goes, you can’t be too careful – to ensure sensitive information is not shared outside of the organization (by current or ex-employees) Data Loss Prevention (DLP) policies should be implemented.
Data Loss Prevention
Data Loss Prevention is the regulatory function that makes sure end users do not send sensitive or critical information outside of their organization. This is done through delegating access and permissions to specific users to prevent them from sharing data (accidentally or otherwise) whose disclosure could endanger the organization. There are a total of 51 sensitive information types that are ready to use in your DLP Policies.
Microsoft extended DLP to SharePoint Online and OneDrive for Business in September 2015, increasing the protection of data found in Exchange and Outlook to cloud-based tools. DLP policies for SharePoint Online and OneDrive for Business can be set up from the Office 365 Compliance Center.
DLP policies allow for the identification and monitoring of content in Office 365, OneDrive for Business, SharePoint, and the Exchange Admin Center, providing a holistic view of content company-wide. Across all sites, you can identify documents that are shared with people outside your organization, and automatically block access to that document for everyone bar the site owner.
By implementing this regulation after employees have left, you can ensure they cannot take any sensitive information with them or try and retrieve it at a later date. DLP policies are also able to educate – if a user unintentionally tries to share a document containing sensitive information, a DLP policy can both send them a notification alerting them of their mistake, and show them a policy tip in the context of the document library.
Goodbye, Not Good Riddance
Of course, the aim of this post hasn't been to scare you into thinking all your employees are out to steal as much data as possible on their way out the door. If you employ the right people, then the above should remain as precautions, and nothing more. Nonetheless, there are a number of ways SharePoint can protect you when employees leave, so there are no hard feelings left on either side.
Tell me, what policies are in place for departures in your organization?