Unfair Advantage - Blog

Core considerations for taking control of Joiners, Movers, and Leavers in consultancies

10 August 2016 |

Category: Metis

|

Security and privacy concerns have never been greater

Consultancies have always required a flexible approach to HR. The project-oriented nature of the sector often means it is a necessity to boost your permanent team by engaging those with the skills and expertise you require on an Associate and Freelance basis.

pexels-photo-241028.jpeg

The fast moving nature of business and the need to rapidly assemble and re-configure teams ad-hoc means it is easy to lose track of who has access to what. Despite the high level of integrity and professionalism expected of consultants, when people leave they can inadvertently or deliberately do things that put the firm’s goodwill at risk and do potentially significant reputational damage. Many firms place an emphasis on onboarding, however, the enthusiasm for ‘offboarding’ is often missing.

It’s not just about managing leavers but movers too. A common scenario is where a contractor gets access to a firm’s systems and all the files relating to client A. Once the project is finished the contractor moves straight to client B and gets access to those files as well. However, the process for turning off access to client A falls through the cracks.

And it’s not just the firm’s own data that is at risk. Often consultancies hold some of the most commercially sensitive client information. A client may expect the firm to be able to demonstrate ‘security parity’ in that the firm’s security is no weaker than the client’s.

Another often-overlooked area is personal data. In the UK, we are less than 2 years away from new EU regulations that will see companies facing fines of up to 5% of global revenue for losing personal customer data. Brexit is unlikely to stop this process. Firms often get access to clients’ customer data and they need to manage access to this extremely carefully. Any personal data breach could lead to very damaging fines for their client.

Today, security and privacy concerns and fears of insider misuse of systems and information have never been greater. Rather worrying is the phenomenon of the ‘silver fraudster’. There has been a shift towards more senior and experienced workers defrauding employers. Often this has the greatest impact as they may be privy to sensitive information and are subject to less oversight.

So whether for non-permanent team members or long established full-time leaders in specific areas of practice, there is a need to take control of the access privileges of all staff as they move into, through and out of the firm.

Here we outline the core considerations for taking control of the access rights and documentation of those that join, leave and move within the firm.

Physical access to premises

  • Access to the firm’s premises
    • May require security clearance and identity badges or fobs
  • Client sites
    • Don’t forget to factor in any access that has been granted to client sites
  • Surrender
    • Ensure security clearances are removed and identity passes are surrendered when people leave client roles or your firm
    • Update internal security and facilities teams or those in serviced offices with any changes about persons permitted to have access
    • Reclaim any keys or change locks; re-programme digital door locks

Digital access and permission levels

  • Permissions
    • Record and manage access permissions to software systems and data such as CRM and client folders; consider using a corporate password manager to ensure strong passwords are created and regularly changed; such systems strengthen passwords while simplifying logins in terms of reducing the need to remember different passwords for different systems
  • Monitoring
    • Monitor access if practicable to record what files have been accessed, copied printed, emailed etc.
    • Turn on or upgrade cloud system features that provide an audit trail; this may help prove security breaches did not originate from your side
  • Remote Access
    • Don’t forget to shut down any remote access capability that contractors may have been granted, but no longer require
  • Hardware
    • All devices should require passwords ,preventing unauthorised access in the event of loss or theft
    • All data carried on mobile devices, whether resident on contractor or the firm’s devices, should be encrypted
    • Ensure any of the firm’s hardware is surrendered by contractors at the end of the engagement; client data and logins should be wiped before devices are re-assigned to other users

Documentation

  • Maintain
    • HR should maintain up to date records of all relevant documentation
  • Signatures
    • Contractors should sign contracts and confirm they have read and understood policies relating to technology and internet usage and data sharing; consultant contracts should include suitable NDAs
  • Certification & qualifications
    • Make sure documents are genuine and issued by recognised authorities
  • CVs
    • Make sure CVs are on file and that information in social channels such as LinkedIn is consistent with CVs

Governance, compliance and due diligence

  • Compliance scrutiny
    • Failure to establish identity and right to work may leave the firm open to investigation with respect to employment and immigration rules
    • There are significant financial penalties for failing to meet regulatory standards here
  • Client assurance
    • Build client confidence by sharing the policies and procedures the firm has put in place to ensure staff and contractors are removed from access when projects are concluded
    • Regular internal review, or better still, external inspection should be in place to prove the process operates, highlight good practice and demonstrate a commitment to continual improvement
  • Due diligence
    • For business owners looking to engage in M&A activity to grow, exit or dispose of a firm, the ability to provide comprehensive documentation on associate and freelance as well as permanent employees is a must

To ensure these elements are nailed down it is worth considering creating a Joiners, Leavers and Movers policy and process that lets everyone know where they stand and their ongoing obligations, especially around confidentiality and prejudicial action.

Many use spreadsheets to try to keep track of who has permissions and access privileges. However, this is time consuming, messy and prone to errors. Is there anything better than spreadsheets?

Keep on top of resource for your projects with Metis

When you need to stay on top of resourcing in your consultancy, Metis gives you a clear 360 heads up on it, and everything else that’s important to running your firm smoothly and profitably. It’s like 20:20 foresight for consultancy businesses.

To see how Metis collapses the complexity of your business and shows you where you need to focus, simply sign up for our demo today.

Join the conversation