8 Comments

Summary:

Consider the following scenario: An employee leaves your company or a virtual team member moves on, and the circumstances have been less than ideal. What do you do to make sure that you keep your company’s (and your clients’) confidential information safe, when someone who is […]

padlockConsider the following scenario: An employee leaves your company or a virtual team member moves on, and the circumstances have been less than ideal. What do you do to make sure that you keep your company’s (and your clients’) confidential information safe, when someone who is no longer on your team might still have the passwords to the apps you use?

When it comes to collaborative tools such as project management apps, you can usually apply different levels of access to each team member. Still, have you figured out what to do when someone from the team departs?

You have a few options:

  1. Delete their account. But what happens if that account contains data that applies to work you’re still doing, or time reporting you are still running?
  2. Make the account inactive. But does this mean the account still counts against your user quotas, or will it give you an open space to add a new member without increasing your service level?
  3. Change the username and password. But is this really a secure option?

My company’s virtual team (over a dozen people) are using 5pm, so I contacted the company to see what they recommend doing in the situation of a team member leaving and what their service supports. They acknowledged that workers leaving a company is an interesting issue and recommended changing the login email address used on the account and the password. While they suggested using a fake email, I’m thinking using an alternative email address to which you have access would be a better solution.

5pm’s programmers are able to restore data if you accidentally delete something you didn’t intend to remove, but they also pointed to the “Backup” feature that allows you to pull your data from the cloud onto a computer before you make any changes if personnel has changed. The company is considering an “active/inactive” flag for users, but also said that since their plans are based on the number of users, they were concerned that people might turn this feature on and off to get around upgrading to a premium level.

Curious to see how other project management tools handled the issue of security when a team member departs, I approached Wrike and LiquidPlanner with my scenario as well.

The folks at Wrike suggested that the best way to protect against potential sabotage is to deal first with the issue on the HR and legal side, rather than relying on your cloud vendor. While I agree with this in theory, most startups don’t have an HR department or a legal team to enforce issues, and much of what happens with team members happens swiftly and potentially irreparably in a bad situation. Contracts can’t keep disgruntled individuals from commiting sabotage. Wrike has a “merge” feature so you can actually merge the data of one user into the account of another. The account can be kept active with a changed username and password, or removed after merging data to downgrade an account if money is an issue. The Wrike folks also say they have multiple levels of backups and a friendly, helpful customer service team at the ready to assist in a crisis situation to help retrieve lost data or protect an account. They may, however, require a fee to cover the time of their programmers.

LiquidPlanner lets you immediately “disconnect” a user from the collaborative workspace if they leave the team, so a former employee can no longer log in to view or modify the team’s project information. This feature makes their account inactive. This disconnection feature eliminates the need to change a login and password as a stop gap measure. The workspace remains secure. The inactive user’s projects and tasks will remain accessible and intact so the rest of the team can access all the data related to their account. Inactive users do not count against the user quota for a LiquidPlanner account. If you disconnect a user from a workspace at any time and then they return to the team, you can simply invite the same person back into the space by “reconnecting” them.

Before you run into a crisis situation with your project management system, here are a few things to look into today:

  1. Check to see if the apps you use have a way to back up your data.
  2. See what the company recommends in terms of security actions to take if a team member leaves abruptly.
  3. Check if there are fees for restoring data via the company’s main backup system.
  4. Write out your internal plan for keeping your company’s project management space secure.

What is your plan for keeping your collaborative spaces secure?

  1. Often-times, a company should retain long-term records of collaboration activities, as they may be needed for legal purposes. http://legal-beagle.typepad.com/wrights_legal_beagle/2009/03/record-keeping-in-financial-markets-to-soar.html

    Share
  2. Great topic. A closely related issue is just the plain old fat finger loss of data. In LiquidPlanner we addressed this by building a Trash system so that if someone accidentally deletes your project or task, you can recover it yourself at any time (up until the workspace owner empties the trash that is). Things like item recovery are important features in collaboration systems, which is why shoppers should look closely at usability and finishing touches. A trick I always use when I look at software is to right-click on things; that’s where the features you’ll use down the road often live.

    Share
  3. And as I proud user of LiquidPlanner if I could add to what Charles just wrote and say that the messaging when data is deleted is just great. None of this “Are you SURE you want to REMOVE this? This CANNOT be UNDONE!”. Well, not only is is undo-able, but the LP folks put good humor into their system messages. Such as (after the informative message about why you should reconsider deleting the task, then…):
    “You have successfully deleted [Task name here]. It can be found in the trash if you’re having second thoughts.”

    And there’s lots more nice messaging in there. Put’s a little more human into the system.

    Share
  4. Good topic! We have been asked this quite a number of times and have built in a enable/disable option within DeskAway. Additionally, once you have re-assigned that team member’s tasks, issues etc., you can easily remove the user from the system.

    Share
  5. An interesting response from Wrike, which mostly gives me the impression that they’re not too concerned about what *your* problem is, so long as it’s not causing them any. If I was looking at collaborative software I would certainly avoid them now!

    Most helpful response seems to be that of LiquidPlanner – maybe because they’ve obviously already covered that situation in their app. Seems to be that they’re looking at it from a users point of view, which is certainly commendable.

    As I inferred above, I’m not a user of collaborative applications such as these, but I know in whose direction I would be walking based solely on their responses to this issue!

    Share
  6. [...] Protect Your Company’s Collaborative Spaces – You need to be prepared to lock out former workers from your online network once they leave. Good article from the people at GIGAOM [...]

    Share
  7. Hi Daryl,

    Don’t get me wrong – we’ve helped multiple clients in cases like that and have always been very responsive. I’d be happy to provide references. My comment was more of an observation that we shouldn’t forget about old, proven methods, even in the web world.

    When it comes to a cases like the one Aliza referred to in her email, it’s better to take 360 approach. Merely changing a password for a cloud service is not going to solve a problem of disgruntled employee. What if he has a copy of your confidential data? It doesn’t matter how he or she got it – through dead tries, local area network, digital camera or cloud service. What matters is what then happens with the data. There not even a need for data, what if ex-employee harasses you by calling your clients? Or what if she files a lawsuit?

    One of the most recent public stories of employee-employer conflict can be followed here:
    http://www.techcrunch.com/2009/06/11/tesla-founder-sues-ceo-elon-musk-for-slander-and-breach-of-contract/
    http://www.techcrunch.com/2009/06/22/tesla-ceo-elon-musk-sets-the-record-straight-about-pending-lawsuit/
    http://www.techcrunch.com/2009/08/19/lawsuit-against-tesla-dropped/
    Martin’s passwords were most likely turned off, but it didn’t prevent the follow-up story. I’m not an insider there and not taking any sides. What I’m saying is that since this post is intended to help SMBs to prevent bad things from happening, it’s never bad to reiterate the importance of basics: treat your employees well and
    have correct HR and legal policies in place. I don’t know about the rest of the world, but in Silicon Valley start-ups can often fund legal expenses through equity or deferred fees. Also, most likely there’re $20 Nolo books on the subject, free legal advice on the web and other sources. So you don’t have to be Fortune 1000 to properly operate your business.

    Cheers,
    Andrew

    Share
  8. Aliza,

    Thank you for approaching us with your questions. Our answers in your post don’t look too detailed, though, so I’d like to elaborate on them. First of all, when one of your people leaves the team, Wrike makes it really easy for you to revoke a license and then grant it to another employee. It allows our users to save money, since they don’t need to purchase a new license, but can use the one they are already paying for. When a license is revoked, the former user does not have any access to the corporate data, as his/her account is deleted. You can always export the users’ data to Excel in one click. All these features make it really easy for our users to deal with the situation when team member departs, even without addressing our friendly support team. Yet we know that in real life, each customer’s requirements may differ (Daryl mentioned this fact in his comment). We care for the unique needs of each customer, and we are ready to help in the shortest time possible (usually it’s less than 24 hours).

    Daryl,

    Thanks for your comment. You’re absolutely right that the security issue is very important when you choose a project management solution. It’s almost as important as the solution’s feature-set and price. Yet it will never be the only factor. No doubt that when you’ll be comparing the two applications, you will try to test drive all the features first and see whether they indeed give you the desired level of security, or whether it’s just smart marketing talk. Wrike’s level of security and unique project management features are recognized by thousands of companies around the world. You’re more than welcome to try our solution for free at http://www.wrike.com and examine Wrike’s level of security and customer support.

    Share

Comments have been disabled for this post