We provide staff with laptops during their employment at the University and they are expected to return them to IT before they leave. We are seeing a number of cases where staff are leaving the University without returning equipment - laptops in particular.
We are able to disable the laptops remotely as they are enrolled in Intune, however the financial loss as a result of having to replace the hardware is reaching unacceptable levels.
How do your institutions appoint accountability for devices given to staff, how do you incentivise staff to return equipment and what do you do if they don’t?
Issue is local labor laws now act more in favor of the person than company when it comes to corporate assets. We’re seeing the same in smash and dash of local stores being looted in broad daylight. I had in the past been able to take measures such as requesting final paychecks withheld or other enforcing type approaches. No longer the case.
Consider BYOD as a hardware deployment practice where shrinkage is highest, like remote or field operations. Use thin clients reducing the hardware to useless piece of hardware to them. You’re doing remote intervention which works, add in the Low Jack version for PC to remotely locate the missing hardware when it comes online. I have found that informing the employee theft of company property will be reported to the local authorities if not returned forthwith, then follow through. I had a case where we recovered several devices by giving local authorities the whereabout of the devices once it came online. Wish I could have been there when those were harvested.
More ideas I can pull in if you need them. Good luck
I have experienced the same issue and am also at a US university. I don’t have a good solution for you because when I raised this issue, it wasn’t considered a priority to be acted upon - from a financial perspective. I think that what you can do if you want action on this is to raise the awareness of the problem from an infosec perspective. These devices have university/company data on them!
What do you deem “unacceptable levels” of financial loss? Another way to approach this is to set a threshold of financial impact. Start tracking “cost to replace assets not returned by employees” as a KPI. You will have data to demonstrate the problem. If you have leadership support to set that threshold, then you should have leadership support to do something about it when it hits that threshold. It will take that leadership support to set internal policies such as requiring departments/managers to follow ITAM procedures for employee departures (turning in equipment); you may have to financially incentivize/penalize departments if possible.
I want to add something here about setting up the basis for the action in the first place. “expected to return” is certainly normal, but it needs to be firmly rooted.
Create a policy document that applies to all employees that any university hardware must be returned to the organization as a condition of receiving last check and/or other payouts at end of employment. Using the standard HR approaches, make each existing employee acknowledge and accept that as one of the many conditions of continued employment. And then make HR push that as a standard talking point in each exit interview as a reminder. Having a legally documented basis, with that background, will generally help a few things:
it’s an employment agreement about ownership of assets
it specifies conditions to activate
provides clear resolution to correct the situation
Bryant’s points above are also accurate - certain states have employment laws that may conflict and make this ultimately unenforceable, but that being said, having the threat out there will likely decrease the number of occurrences for those who aren’t willing to risk the legal process, even if you aren’t able to enforce it smoothly.
And Dan also brings up partnering with the IT Security team to bring this to the right attention and get buy in by the administration in order to reduce risk to the organization. The data on those machines is not the ex-employee’s, and it’s value may be more than the hardware itself.
Lastly, build (or improve) a process of exactly when those devices ought to be reclaimed during the exit process and who is involved is important. Realistically, it’s no different than building/office keys - nobody ignores letting employees leave with building keys. Choosing who is responsible and also accountable for the capture step is important too. For instance, if the department head is accountable, and they will be charged by IT for lost hardware, they will start to do better for you. (that may require another internal policy be created, but once it’s there and enforced, those departments will likely try harder)