Off-boarding employees can present organizations with significant challenges related to security, and it can increase the risk of data leaks if not handled appropriately. Data leaks can be costly for organizations in terms of fines and penalties, reputational damage, and the time and expenses involved in incident response. That’s why it’s imperative to follow best practices when off-boarding employees such as:
- Conducting exit interviews
- Reclaiming all company assets
- Revoking access to company systems, networks, and resources
- Migrating business-critical data
- Leveraging automation to streamline the offboarding process
We’ll discuss these best practices in more detail later in this article, but first, let’s take a look at why proper offboarding processes are essential.
The Importance of Secure Employee Off-Boarding
Depending on the role and responsibility of a separating employee, they may have had access to extremely sensitive systems, applications, and data. The soon-to-be ex-employee may be leaving for a variety of reasons, some of which may raise concerns regarding the possibility of data theft or malicious disclosure.
Whatever the reason for an employee’s departure, you need to be sure no sensitive resources are compromised in the off-boarding process. You don’t want the individual to leave with any corporate data resources. You also want to ensure that they do not retain access to systems or apps after they leave the company. Unfortunately, insiders are responsible for a large percentage of data breaches, ranging from unintentional leaks to malicious data exfiltration and intellectual property theft.
Best Practices for Securely Off-Boarding Employees
Following these best practices and tactics can help your company securely off-board employees.
Conduct an Exit Interview
An exit interview offers a company a chance to remind the employee of their responsibility to act professionally and adhere to the commitments they have made to protect sensitive information. The interviewer can use this opportunity to gauge the employee’s mindset and get a sense of the risk they pose to the organization.
An angry or disgruntled employee is more likely to initiate a data breach or attempt to compromise company information on the way out the door. Companies can stress the legal ramifications that will accompany a data breach and have the individual sign to verify they understand their responsibility.
Reclaim All Company Assets
One of the first steps in the off-boarding process is to reclaim all company assets from the departing employee. This includes any computers, mobile devices, external storage devices, and additional hardware provided by the company. Data on the returned devices should be backed up and archived before securely deleting all information on the equipment so it can be reused by other employees.
The use of personal devices in a BYOD (bring your own device) environment can complicate this step. Employees may retain company data on their devices or in other locations through previously created backups. Companies may want to rethink BYOD when the complications of off-boarding are considered.
Revoke Access to All Company Resources
Revoke access to all company IT resources for departing employees promptly. This eliminates the possibility of an individual leaking or destroying data and damaging the business. It also reduces the risk associated with inactive and old accounts, which are more vulnerable to hacking. A company’s IT and human resources (HR) departments typically work together to coordinate this activity.
This process can be more complicated in companies that have a cloud presence. In addition to closing accounts for approved software-as-a-service (SaaS) products, employees may have been using unapproved cloud offerings to store business information. It can be difficult to determine all the places that contain company data resources.
Migrate Business-Critical Data
Departing employees may have been involved in business activities that required sensitive data to be stored in SaaS applications. In some cases, it may be tempting to leave the data in the account after revoking access by the ex-employee. This strategy results in additional and unnecessary costs to maintain SaaS licenses or subscriptions.
A better tactic is to migrate the data to another account and modify the processes that access the information. Migration saves money and consolidates data resources for enhanced efficiency.
Automate the Off-Boarding Process
Eliminate the potential for human error by automating the steps required to off-board an employee. The procedures required for revoking access and reclaiming company assets should be standardized, documented, and automated to streamline the process and ensure nothing is overlooked. Missing a single account that enables a former employee to access company systems can result in a devastating data breach.
The documentation necessary to automate off-boarding can also be instrumental in providing evidence in a compliance audit. Companies in regulated industries must demonstrate that effective measures are in place to remove unnecessary credentials to protect sensitive data.
Cyber Insurance Offers Extra Protection
Even the most well-planned and executed off-boarding strategy cannot guarantee that no sensitive data gets compromised. Cyber insurance provides an organization with protection to address the aftermath of a data leak. This extra protection can be crucial in addressing the cyber incident and recovering as quickly as possible.
From conducting exit interviews, to immediately revoking access to company systems and resources, to automating the off-boarding process, and protecting your business with adequate cyber insurance coverage, these best practices will reduce the risks associated with ineffective off-boarding processes.
