How BluVault makes employee termination less painful

Threats to business data are not just external but can be from internal sources too. Incidents like breaches, malicious hacks, or data leakage tend to take prominent space in news headlines. But every organization suffers data loss due to insiders – which could many times be as severe or worse.

Organizations need to be particularly careful when parting ways with employees. Employees who believe they are being terminated unfairly could hold a grudge and make attempts to retaliate while they still have access. In the USA alone, so far in 2021, the total number of employee separations reached 5.5 million. The reason for such terminations may vary, but what matters to is that the employee’s data is protected at all times.

But despite an employer’s best efforts, unfriendly employee exits can be tough and lead to unpredictable consequences. Disgruntlement or perceptions of unfair treatment can drive such employees to retaliate by taking passive-aggressive actions like:

1. Not returning their company asset (laptop etc.)

2. Returning the asset after having wiped all data

3. Deleting data in cloud accounts such as OneDrive or Exchange

There is also the matter of effectively dealing with the data that belongs to an ex-employee. Even after an employee leaves the company, it needs to be remain protected, retained for the right amount of time, and made available to the organization as required.

How Backups can help

In such cases, a comprehensive data backup solution is one of the best defenses organizations can have in place. Having a reliable and regular data backup of employee data both of their devices, and of their cloud accounts is a an excellent way to hedge against such undesirable behavior. But good backup solutions do more. Solutions like Parablu’s BluVault provide well thought out features specifically to handle employee terminations.

BluVault offers a range of built-in features to close data protection gaps further during employee separation/termination.

1. Backup Schedules and Frequency

There are several proactive measures that an IT administrator can take when employees are terminated or when they are serving out their notice period. One approach is an on-demand forced full data backup from the device. Another could be to simply increase the frequency of backups for such employees – to avoid missing out on any deleted data. And not to forget, for some sensitive cases, perform these activities in non-interfering stealth mode.

BluVault offers this capability to the administrators through policies that can be configured to adjust the frequency of backups. Backups can be schedule to run even several times a day if required.

Backup Schedule Frequency: BluVault Home > Policy Management > General > Backup Information > Schedules

2. Stealth mode backups

It is also possible to turn on ‘stealth mode’ for BluVault’s endpoint agent. In stealth mode, BluVault doesn’t advertise its presence to the end-user, but runs silently. The system tray icon is dispensed with, and it also removes any traces of itself out of Windows Programs & Features. The possibility that a disgruntled user might tamper with the endpoint agent, by trying to stop/exit the agent, or uninstall the software is vastly minimized.

Backup Schedule Frequency: BluVault Home > Policy Management > User action preferences > Agent > Systray Icon

3. Litigation Hold

BluVault also has a built-in litigation hold feature, which is typically used in cases where there is a demand for information from an attorney or a judge. Once a user is placed in a policy with Litigation Hold turned ON, BluVault automatically suspends any policy based data deletion – in other words data retention becomes infinite, which means all backed up data is retained forever. The BluVault endpoint agent also begins to backup all folders on the endpoint system, as opposed to only those specified by policy.

Litigation Hold: BluVault Home > Policy Management > Advanced > Options > Enable Legal Hold

4. User blocking

When an employee leaves the organization, IT administrators would like to free up their backup license so it can be re-used for another user. But what if their data needs to be restored at a later date? BluVault allows administrators to preserve the user and device devices, as well as all backed up data even without a license. A license is required only at the time a restore is required.

To do this, the administrator can use the BluVault portal, go to the Users shortcut, select the user in question and simply ‘Block’ the user. If using BluVault in conjunction with Active Directory or Azure Active Directory for user provisioning, simply removing the user from the respective Active Directory or Azure Active Directory security group is all that is needed.

Block a device in the BluVault portal: BluVault Home > Users > List of Users > Block

5. Data migration

Data Migration is an extremely helpful feature when BluVault is set up to back up device data to an individual licensed storage allocation like OneDrive for Business. BluVault has the unique ability to backup end-user data to their respective OneDrive for Business storage allocation. However, when the employee leaves the organization, and their Microsoft 365 license expires, the business has about 30 days during which Microsoft allows the organization time to retrieve any data they require from the terminated account. If the BluVault backups are stored on OneDrive, it is important to ensure that those backups are relocated to a safe target for subsequent restores.

BluVault includes a neat feature called Data Migration which will move all backup data for a given user out of their OneDrive for Business account into a central OneDrive repository supplied by the organization. This process is irreversible once started and results not just in moving the backup data, but also updates all data pointers in BluVault’s meta-data catalog to refer to the new backup location.

In order to use the Data Migration feature, it is important the user is first in a Blocked state (as described in the previous section). Once this is done, the administrator can use the Parablu Portal, navigate to Settings -> Data Migration to use the feature.

Data Migration: BluVault Home > Settings > Cloud Settings Tools > Data Migration

6. Device reassignment

Now, the user has left the organization, the username has been blocked in BluVault – so their devices and data are preserved. What if you wish to now access the data? One way is to simply assign back a user license temporarily to the blocked user, so that a one-time data recovery or download can be accomplished.

But what if the organization wishes to keep the data preserved in BluValt, but provide access to that data to another employee in the organization? Perhaps the ex-employee’s supervisor, or someone who has replaced them in that position?

Parablu’s BluVault offers a simple solution. The BluVault administrator can simply transfer ownership of the backup data to an alternate user. This alternate user to whom the device is reassigned gets the options to view, access, and download/restore backed-up data from the device – just as the original user would have. This feature ensures backup data is available to multiple users at once while eliminating any impact on business operations due to employee separation or a prolonged leave of absence.

Device reassignment does not require an additional user license, but is allowed for a limited number of users at a time (typically 10% of the total BluVault license count).

For a user’s device to be re-assigned, the user first needs to be in a Blocked state – as described above.

Device Assignment: BluVault Home > Users > List of Users > Block > Assign additional users

7. Administrative delete

When an enterprise performs backups from an business laptop or desktop, it is possible that an employee’s personal data may also inadvertently gets backed up. When (or after) an employee leaves an organization, it is possible that they ask for such data to be purged.  Recent regulations focused on individual privacy (such as the GDPR) have empowered citizens / individuals with such rights as the “Right to be forgotten”.

It is therefore important for a business to be able to review and satisfy such requests.  Unless a backup solution has been designed to keep user data insulated and allow such surgical removal – this could well prove to be an impossible task.

Parablu’s BluVault enables businesses to be prepared to manage such Right To Be Forgotten like requests effectively and efficiently.  Parablu’s Administrative Delete feature allows an administrator to navigate down into a device into folders, sub-folders, specific files, and even file versions – in order to selectively delete any personal data.   All such surgical data removal operations through Administrative Delete feature are permitted only by authorized administrators, and all actions are audit logged for compliance.

Administrative Delete: BluVault Home > Settings > Global Settings > Data Management > Can Administrator delete other users’ data > Enable

These are just a few thoughtful features that Parablu has built into BluVault to make employees termination process data-protection friendly.   We are of the strong belief that enterprise class backups should do much more than simply make second copies of your data – they should actually make an administrator’s job easier.

Get in touch with us to learn more about how Parablu can help.