Last week, I discussed how some people feel that open-source-based networks are more secure than Windows-based networks, largely because of higher employee retention at companies with open-source platforms. I also discussed some factors involved in employee retention, as well as how poor employee retention can adversely affect a company's best practices. I received numerous responses to that editorial, many claiming that I had identified the primary reason they change jobs: lack of creative freedom.
In response to the claim that open-source-based networks remain more secure than Windows-based networks, Microsoft said in a roundabout way that the answer to a more secure Windows-based network is through best practices. When you visit Microsoft's security site, you'll find several links to best practices that teach how to form strategies and how to monitor and secure your networks. But you won't find any information about how to secure your employees' participation in your company for any great length of time so that those practices can become more effective.
All companies are interested in finding and keeping good employees, and how they accomplish that is relative to the company's philosophies, budgets, and management structure, so I can't offer a lot of specific advice. In general, competitive pay and relative creative freedom are two factors that significantly affect employee retention.
If keeping good employees helps reduce a company's overall security risks, what happens when employees do leave the company? Have you considered the additional security risks involved when an employee departs? Many employees leave a company disgruntled to some degree, and therein resides an often-overlooked risk: the potential for retaliation.
Most companies develop a number of processes for bringing an employee into the company, but fewer companies develop adequate processes for exiting an employee from the company. In my opinion, these tasks are equally important. Does your company have employee exit procedures? Do you conduct exit interviews with employees as part of those procedures? Do you clearly state (perhaps in writing) in the exit interview when any or all of an employee's rights are officially terminated?
If you don't tie up such loose ends quickly, the risk associated with employee departure increases dramatically. A recent news story quoted the FBI in San Francisco as saying that at any given moment, it is actively working on 40 to 50 cases where disgruntled ex-employees have retaliated by hacking into the company network. Adequate exit procedures that include immediate removal of all credentials, exit interviews, and employee rights termination notices might help curb retaliation in many instances.
If nothing else, exit interviews help to determine an ex-employee's attitude about leaving. And specifically informing employees that they no longer have the right to access company resources might cause them to think twice before giving in to any retaliation impulses.
If your company doesn't have exit procedures that include an exit interview, consider the need to adopt such policies. This precaution might save you a lot of headaches down the road. Until next time, have a great week.