Whether they’re leaving on good terms or involuntarily, an employee departure is always a precarious time for a company. The exit of someone who was once deeply involved in the day-to-day operations of your business can present a very real threat to your cybersecurity, but by developing a thorough IT offboarding policy and rigorously following it with each separating employee, you can mitigate your company’s risk, and ensure your data will be safe from unauthorized use or access.
The process of developing a robust offboarding policy doesn’t need to be a difficult one, but it might take some brainstorming. While we won’t advocate paranoia, it is important to think critically about the ways an employee might exploit your company’s information technology both during and after separation.
For example, does your current offboarding policy address the modern workplace reality of SaaS, such as G-Suite, Dropbox, Evernote, or any type of cloud-storage or cloud-computing software? What about personal-use applications installed on an employee-issued device? What about their personal devices? A robust policy covers all of these, but even that should just be the beginning.
Exit Interview and Assessing Risk
Considering how much technology we use in the workplace, an offboarding process should be a collaborative effort between HR and IT. By notifying your managed services provider when an exit is about to occur (or is highly likely), IT personnel can do a risk assessment in advance, and rework their action plan as necessary. For high-risk terminations, certain IT offboarding tasks might be more time-sensitive than usual, and might need to be executed concurrent with the exit interview, or even beforehand as a precaution.
The importance of IT and HR working side-by-side is even greater considering that in a recent survey, 87% of employees admitted to taking data they’d created during their tenure at a company when they left, and another 28% admitted to taking the data of others. Having a representative from your IT team in the room during exit interviews will give them the opportunity to head off any NDA or intellectual property issues, and also ask pointed questions of their own regarding the employee’s workplace technology habits, login credentials, etc. — the answers to which will make for a smoother offboarding process.
The first steps in any offboarding should be to remove the employee’s computer access and then promptly revoke their access to all the rest of your systems. Former employees should never have the ability to access your server, cloud, or data in any way, so it is important to promptly remove your employee’s login credentials and disable their user accounts. Make sure that this is done across all local and remote platforms.
If an employee conducted business from their personal device or phone, have an IT or HR representative watch them delete their work email account, etc.
In addition to removing access to any online platforms, another critical step in the offboarding process is to collect any company-owned equipment, including workstations, laptops, phones, tablets, USB drives, etc. If the data on these devices is important (especially for anything on the local hard drive), back it up to a secure location so that it can later be distributed to the appropriate parties, and then wipe them clean. Oftentimes equipment will be repurposed for another employee, so it’s necessary to ensure there won’t be any privileged information lingering on these devices that someone else might be able to gain unauthorized access to — whether accidentally, or otherwise.
Data Location and Information Transfer
In addition to taking control of any residual data on a work device, you should have terminated employees access to any work files (if not shared) or proprietary information that might be stored on their personal devices. If necessary, a remote-wipe can be performed, but caution should be exercised while doing so because there’s a potential to delete their personal data. Once access has been transferred to a current employee, make sure it is removed from the personal device.
One of the reasons to have an IT representative in the room during the exit interview is so they can ascertain where else the employee may have stored data. Cloud storage platforms are exploding in popularity, and there are times when the personal and business can mingle. If someone used their personal Dropbox or G-Suite account to for work purposes, you’ll need to ensure nothing proprietary is left behind. Remember, 87% of employees admit to taking data with them when they leave.
Sussing Out Shadow IT
In a previous post we discussed the dangers of Shadow IT. Client-employed IT solutions increase the likelihood of unofficial and uncontrolled transmission of your data, and present a very real risk during employee separation — especially if said separation is contentious. Even things that might seem harmless, like self-developed API’s, custom Excel spreadsheets and macros, or personal flash drives, can leave you vulnerable. Given the high potential for data loss or theft, it’s vital that you include the identification and removal of Shadow IT on your offboarding checklist.
Tying Up Loose Ends
Once data has been successfully located and transferred, and access has been revoked, one the more overlooked final steps in the offboarding process is to turn an eye externally. Any emails or calls that would have come to the employee should be routed to a manager, and any clients or vendors that the employee was working with should be notified of the termination. This is especially important if their position involved them to have accessing client or vendor systems.
Clearly, there’s a lot to consider when developing an successful offboarding policy. When it comes to your business’s information and technology, a poorly handled offboarding has the potential to be catastrophic. According to McAfee, 43% of data and security breaches came at the hands of company insiders. Don’t give a former employee the opportunity to be one of them. Need help creating a plan? Our team is always available to help.
Contact JNT Tek for help developing your business’s offboarding policy.