BYOD when someone gets fired

: @orinthomas

If a person is fired from an organization, you want to restrict their access to information as quickly as possible. Locking them out of their work computer and email is straightforward, a matter of disabling their logon account. If you control their work computer, you can quickly control their access to sensitive material. If they have a company issued laptop computer, you’ll have a procedure in place to get them to hand it over immediately.

Things are more complicated in BYOD scenarios. A big fear in many sales departments is the idea of a salesperson wandering off with the contacts database. If the salesperson is using their own computer all the time the question arises:

“What right does an organization have to purge data from a person’s personal computer that they use for work?”

This is something that you probably want to get locked and stowed before you introduce BYOD into your organization. Come up with a policy for how to deal with the user who gets fired, but also has a substantial store of sensitive company information stored on their personal computer.

It isn’t as though these issues haven’t existed in the past. Many people have a home computer that they might work from by using a VPN to connect to the office and telecommuting has its own set of challenges in terms of securing sensitive data.

The main difference is that a BYOD computer that is used every day at the office for work purposes over the course of months or years is going to have substantially more sensitive organizational data stored on it than a computer used for an occasional telecommute.

So what do you do when someone who has been bringing their own device to work on at the workplace for the last few years is let go? Let them wander off without some type of audit to determine what organizational data is on their machine? Or in allowing a BOYD policy is an organization assuming that it is impossible to control the movement of sensitive data outside the organization and not bothering to try to stem an unstoppable flood?

Discuss this Blog Entry 2

on Feb 29, 2012
From my experience, disabling an account does not immediately restrict access to all network resources. Certain systems like Outlook Web Access will let a user log in with a disabled account and a reset password for hours after the fact due to cached IIS tokens. It's always a good idea to test your departed/terminated user policy even if you do not have a BYOD policy in place.
AG4IT (not verified)
on Feb 29, 2012
It's possible to address security concerns and still implement BYOD. Whats needed is to separate the Enterprise apps and data from the personal devices. This can be achieved with a solution like Ericom's AccessNow, a pure HTML5 RDP client that enables remote users to securely connect from various devices (including iPads, iPhones, Android devices and Chromebooks) to any RDP host, including Terminal Server (RDS Session Host), physical desktops or VDI virtual desktops and run their applications and desktops in a browser. This keeps the organization's applications and data separate from the employee's personal device. All thats needed is a HTML5 browser. No plug-ins or anything else required on the user device. AccessNow also provides an optional Secure Gateway component enabling external users to securely connect to internal resources using AccessNow, without requiring a VPN. For more info, and to download a demo, visit: Note: I work for Ericom

Please or Register to post comments.

What's Hyperbole, Embellishment, and Systems Administration Blog?

IT pro Orin Thomas provides true tales, snafus, news, and urban legends for Microsoft Windows system administrators.


Orin Thomas

Orin Thomas is a contributing editor for Windows IT Pro and a Windows Security MVP. He has authored or coauthored more than thirty books for Microsoft Press, founded the Melbourne System Center,...
Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×