When an employee leaves your company, it's important to properly manage account deactivation while retaining user files. This article provides best practices for using Code42 to keep company data secure and to shut off access in the event of employee departures.
For additional Code42 best practices to protect your company from data loss, see Code42 Next-Gen Data Loss Protection best practices.
- The procedures described here are suggestions, not requirements, for using Code42 to handle employee departures at your organization. Be sure to adjust the tasks described in this article as needed to work in accordance with your company's own processes for offboarding employees.
- You must have the Customer Cloud Admin role to perform the tasks in this article.
- Many of these tasks can be performed using the Code42 API. If you have a standard offboarding scripting procedure, you can add the Code42 API tasks to the script.
Step 1: Check for file exfiltration
Departing employees often attempt to take files with them. Code42's File Exfiltration Detection provides monitoring tools that give you visibility into related activity, such as unauthorized movement of files offsite. After setup, monitoring operates in the background and provides alerts to notify you when the suspicious activity occurs.
The following Code42 features help you monitor and view file movement:
Endpoint monitoring uses the Code42 app to capture file activity on each device in real time, helping you identify the following types of potential data leaks or security problems:
- Removable media
- Personal cloud
- Application activity (file upload and download)
- Pattern matching
Endpoint monitoring identifies most file activity anywhere on a user's device, not just within the user's backup file selection. Pattern matching, however, only applies to files included in the user's backup file selection.
Use the Security Center to visualize the data collected by endpoint monitoring.
See Endpoint monitoring for additional information.
When you first learn of an impending employee departure, set up activity notifications for the employee to monitor file activity detected by endpoint monitoring and receive an email notification when suspicious activity occurs.
See Configure activity profiles in Security Center for additional information.
User activity searches for users' security events detected by endpoint monitoring. Use this option when you want to view activity rather than receive notifications. You can see a trend of the user's activity over the last 60 days, providing a baseline of normal activity that helps you identify spikes in file movement that signal abnormal activity. You can export the results to a CSV file for analysis or archiving.
See Security Center reference for additional information.
Forensic File Search
Forensic File Search provides detailed visibility for Code42 administrators about files on user devices, including files not selected for backup. Using Forensic File Search, administrators can search file metadata to gain a clearer understanding of an employee's file activity in the time leading up to their departure.
Forensic File Search helps you to quickly answer questions such as:
- Is there file activity that looks like malicious activity?
- Is there evidence of covering up malicious activity?
- Does the employee have a specific file, or did the employee previously have it?
See our use case to learn how to use Forensic File Search with departing employees.
See Configure Forensic File Search for additional information.
Step 2: Retain the departing employee's files
Before you deactivate the user who is departing, determine which of the following methods you'll use to retain their files:
Retain archives in cold storage
When users are deactivated, their backup archives go into cold storage. Cold storage is a temporary holding state for archives after they are deactivated but before they expire and are permanently deleted. Archives in cold storage are similar to files in your computer’s Recycle Bin or Trash. A user who has an archive in cold storage still consumes a user subscription. Administrators can retrieve archives from cold storage throughout the cold storage retention period.
See Cold storage for more information.
Add the user to a legal hold for departed employees
Add the user to a departed employee legal hold matter using Code42's Legal Hold web app. The benefits of this method include:
- It extends the data retention period beyond the default cold storage period
- It allows you to be proactive in the event of a lawsuit that involves the user
See Configure a legal hold for additional information.
Download the departing employee's files
Using the Web Restore screen in the administration console, download the departing employee's files to a target device. Then you can retain the files as long as necessary. For example, you can perform a web restore to the device of the departing user's manager so they can reference past work or complete in-progress projects.
See Restore files from the administration console for more information.
Step 3: Deactivate the user
When an employee leaves, you must either manually deactivate the user, or if you have SCIM provisioning, deactivation happens automatically when you offboard the user via provisioning. When you deactivate a user, the user is signed out of all devices and online sessions, and the user cannot sign in to any part of your Code42 environment (either the Code42 app or the administration console).
When you deactivate a user, all of the user's backup archives go into cold storage. Archives in cold storage do not continue to back up, do not undergo regular archive maintenance, and by default will be deleted after a set number of days. (The cold storage quota may be configured differently for the user's organization.) To keep backup archives longer than the set cold storage period, see Retain a departing employee's files, above.
See Deactivate and reactivate users and devices for more information.