Customer lists are crucial to your business’ financial success. Most employees understand that with some even tempted to take lists with them when they leave. They may even sell them while still employed.
Employees could potentially abuse their legitimate access to forward or download customer data. Other methods include copying unsecured files left out on a desk. Consider the following 10 questions to help keep customer details out of the hands of dishonest employees:
1. Who has access to your customer list? Ideally, only employees with a defined business need should have access. Formal access controls also help prove that the company did its part to keep the customer list confidential.
2. Are there tiers of access? Not every element of your customer list may be needed by every employee granted access. Consider blocking sensitive data on a role-based or need-to-know basis.
3. Do you review access regularly? Many companies conduct quarterly reviews, but the right frequency depends on your risk level. Be sure to update access immediately when employees change roles or leave.
4. Who has edit rights? Look at who’s allowed to change customer data — and how. For example, can anyone update or delete customer records? If so, is there an audit log that records such activity, and do you routinely review it?
5. Can employees export the list? Depending on your software, employees may be able to print, download, or email the list. Is it possible to block such activities? Can you prevent screenshots? If not, consider prevention tools or restricting on-screen views to limit what can be captured in a single screenshot.
6. Are workers trained to protect customer data? Without training, some employees may inadvertently share customer data with unauthorized parties, such as vendors. Make sure staffers know your data-sharing policies.
7. Have you thought about mobile device access? If workers can access customer data on their own or work-provided mobile phones, that data could be vulnerable to theft. Consider prohibiting certain types of access or installing stronger security on devices.
8. What about independent contractor access? Providing short-term access to customer data is sometimes necessary. Certify you have a strict access review policy in place for contractors and other external parties.
9. Have some employees signed customized agreements? Consult legal counsel about whether key employees should sign confidentiality or nondisclosure agreements, and whether noncompetes are enforceable in your state. Such agreements can strengthen your ability to pursue legal remedies if an employee steals data.
10. Do you follow a formal offboarding process? When an employee leaves your company, collect all company owned devices and secure their data. Remove the terminated worker’s admin rights to your systems and deactivate logins and passwords. It might also make sense to audit their recent network activity to identify any unusual access or downloads.
To keep customer relationships under your control, establish strong access policies and follow them. Contact us for help with internal controls or if you suspect data theft.
