Last Thursday's 10 important categories of employment transition security discussed several areas where a business should spend some time considering, developing, and implementing security measures related to employment transitions. The period of transition, from just before to a few months after an employee leaves an organization for any reason, can be a period of increased vulnerability for the organization's information technology resources.
There is another side to the coin, however. There's job security, of course, though that isn't the kind of "security" we'll discuss here. Matters of information technology security are not entirely one-sided, after all; individual employees have such concerns as well. Matters of privacy are particularly important to consider as an employee, in case of future employment transitions. After all, privacy is security.
A simple list of ten ways to help safeguard your privacy in particular, and security in general, in the event of leaving an employer for any reason, follows. It includes some common sense advice that may seem obvious to some, but at the same time — human nature being what it is — we may often be tempted to ignore the advice when it becomes convenient to do so. Hopefully, having a list spelled out for you will help remind you what you should do to protect yourself, and that sometimes what seems like it is for someone else's benefit may actually help you as well.
- Don't violate company policies. I'm not a fan of arbitrary rules and overly restrictive behavioral policies myself, but that doesn't mean you should violate rules set by the employer and your immediate supervisor whenever you feel like it. Not only can this potentially cause problems for the employer and hasten the approach of any potential loss of employment there, but it can also give the employer more reason than usual to invade your privacy where the law and corporate policy allow. Remember that the more you violate company policy, the more scrutiny you're likely to attract if you get fired or laid off — or even if you leave on what look like good terms from your perspective. Even if they only find some minor hint of policy violations a month after you leave, this may lead to a more in-depth examination of what you have left behind, and potentially to attempts to gain legal access to information about your life outside of the workplace in a worst-case scenario.
- Don't log instant messages. If you are allowed to use any of the various IM networks at work, it is best to keep any messages unrelated to work from being logged on company resources — such as the computer on your desk. Comments made about frustration in the workplace can come back to haunt you if found lingering on the hard drive, and a laissez-faire policy in good times may turn into a fishing expedition for incriminating statements you may have made when your name comes up in the list of people to lay off. If anything suggestive of misbehavior on your part comes to light, this may lead to further investigations, prying into your private communications even more. It's best to just avoid leaving tracks, even if they seem innocent now, because of how they may be interpreted under other circumstances.
- Use encryption for private communications. If company policy allows for private communications from the company network, it may be a good idea to encrypt everything so that potentially embarrassing private emails and IMs will not be logged by network traffic monitoring systems, in addition to ensuring you do not leave such communications lying around on the hard drive when you're done with them. Otherwise, the content of those communications may end up on some hard drive over which you have no control at all, archived in perpetuity. Even if you have an IT department role that allows you access to the logging servers, it is best to minimize the number of places that such information gets stored in plain text.
- Don't trust everything to encryption. While encryption tools are a great resource for protecting privacy, they are not a silver bullet. It is always possible that encrypted communications may be later decrypted, whether because the encryption scheme is cracked at some future point or because you don't have a chance to clear your encryption keys from your workstation before being escorted out of the building, allowing someone cleaning up in your wake can get his or her hands on those keys and possibly crack whatever passphrase you use to apply the keys to encrypt and decrypt.
- Don't bring your private encryption keys to work. Using public key encryption schemes such as any of the several options for OpenPGP that exist is a good idea, of course, and can help ensure greater privacy in your life. You may be tempted by convenience to simply copy your encryption keys from home to your work computer, but that's a bad idea, mostly because of point 4 above. Instead, you should generate a new key set at work if you want to use OpenPGP there, and ensure that anyone who communicates with you via that set of keys knows that it is ultimately more subject to compromise than your more private, "home" keys. If and when you leave your employer, or have reason to believe it may have been compromised (many employers still install keyloggers on company desktop computers to monitor employee behavior, after all), inform everyone that uses the public key for that set of keys to communicate with you privately that you are invalidating the key set. If you have uploaded the public key to a keyserver, you should invalidate the key on the keyserver as well.
- Protect your private IM and email passwords. It is generally best to avoid using the same IM accounts at work that you use at home, since instant messaging networks often do not encrypt login transactions between the client and the server. Just as the communications themselves may be intercepted by network traffic monitoring software, including tcpdump, so too can your user IDs and passwords for your IM accounts be intercepted, sometimes even if the messages themselves are encrypted by some third-party plugin. The same can be true of emails, if your email logins are not encrypted. If you employ standard Unix mail user agents, tools such as getmail and sSMTP can help you ensure those logins are protected — as well as rest of the session. It is possible to use complete session encryption with Gmail, too, and GUI mail clients usually provide some mechanism for ensuring logins at least are encrypted if the server supports it. When such options are not available, though, it is best to avoid using an email account you use elsewhere, just as it is with IM accounts.
- Don't store browser history or Website passwords not directly related to work. To the extent possible, you should ensure that you leave no tracks when browsing the Web. Many browsers, such as Firefox 3, provide a built-in password manager that can be used to automate the process of entering passwords for the plethora of Websites you may visit regularly. Some of you may not be aware that many of them — again like Firefox 3 — can allow you to recover those passwords in plain text if you forget them and need to remind yourself what passwords you have used. This may allow a former employer to do the same thing after you are not longer in the office. Browser history can be likewise problematic, allowing a glimpse further into your private habits than you may like, or even serving to heighten suspicion and motivate more investigation and prying into your private life similar to the potential effects of inferences drawn from IM logs.
- Use encrypted proxies for private browsing. Just as you can encrypt IMs and emails to protect your privacy, you can also protect Web browsing from local eavesdropping at work. You can use OpenSSH as a secure Web proxy, for instance, so that all that is seen on the local network when you fire up your browser is encrypted traffic sent to a computer at your home. The advisability of this may be open to question, however, as any encrypted proxy traffic may appear suspicious to very watchful netadmin, and you may have to explain why you have near-constant encrypted traffic streaming to some off-site computer outside of your normal duties at work.
- Don't store the sole copy of anything important at work. It is often the case that employers will escort employees out of the building when employment is terminated for any reason, without giving them the opportunity to recover anything from company computers. Sometimes, you may get invited to speak to a specific contact in the IT department, and have him or her recover any files for you that you need, but of course if that is the case the process can be long and annoying, and since it isn't their data, it may be prone to being lost somewhere along the way. Perhaps worse, any such files are likely to be scrutinized before being turned over to you, to ensure that they do not contain company secrets or otherwise present a risk to the business or its resources. It is better to ensure that anything you don't want to lose, but need to have available at work, is not only stored on a work computer.
- Never give your employer reason to distrust you. Show the highest levels of integrity, even if you are angry with your employer over some deceptive behavior or other breach of trust by the employer. Do not sink to your employer's level. Don't skimp on reporting what you use, don't try to arrange surplus supplies and other resources for yourself — just don't try to "get away with" anything at all that might impugn your character in the eyes of the employer or any third party to which the employer may present evidence of your "misdeeds". Even if you trust the chain of management all the way to the highest levels, in an uncertain economy it may be possible that business resources will fall to creditors, and your personal security may then be at risk. This risk can only be compounded if any evidence of your behavior can be construed by someone looking for excuses to pry into your life as justification for such an investigation. Always take pains to protect the company's security as well as your own, and avoid conflicts of interest or the appearance of impropriety, to the extent reasonably possible. In times of economic desperation, in an increasingly litigious world, good intentions are often not enough to protect you.
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.