Cybersecurity and Employee Off-boarding

When an employee leaves your company, whether voluntarily or otherwise, its data remains in their hands until their access is fully revoked. Even if they left on good terms and wishes your team the best, their continued access to internal systems poses a risk. To keep your business data secure, you need a regular off-boarding process and a commitment to follow it every time an employee departs. Today, we’ll discuss some key steps an off-boarding process should include. 

 

As long as they have access, all former employees pose risks.  

When they retain access to your company’s data, former employees pose a variety of security risks. Well intentioned employees often download company data onto personal devices so they can work on projects at home or share login information with others for what they deem valid reasons. In fact, a study of 2,000 desk workers in the U.S. and the U.K. discovered that 49% of respondents had shared their login credentials with someone else, and most saw no problem with this. Somewhat ironically, those working in some industries that have more stringent security protocols, such as legal, finance, and human resources, were more likely to share their login details with colleagues.  

A less well intentioned ex-employee with access to your systems could create a number of problems, even if they aren’t looking to harm your business. The study referenced above found that 36% of respondents were aware that they had continued access to a former employer’s networks, and nearly one in ten former employees used that access. In another study of 3,000 respondents, more than half admitted to taking information from a former employer, and 40% said they intended to use it at their new job.  

With continued access to internal networks, employees who leave your company with ill feelings could cause a significant amount of damage. An IBM study of 3,600 people in organizations that suffered data breaches in 2022 found that the global average cost of a data breach has reached $4.35 million. U.S. respondents reported the highest losses, averaging $9.44 million. In 19% of breaches, the cause was stolen or compromised credentials. Organizations that had an incident response team and a regularly tested plan saved an average of $2.66 million compared to those that did not. 

In addition to the significant financial costs associated with security breaches, they can damage a company’s reputation, undermine the trust of its customers, and put it out of compliance with legal or industry requirements. With so much at risk, no business can afford not to have a plan in place. 

 

A comprehensive off-boarding plan will help protect your company’s assets and reputation. 

Make it official. 

Your company should put legal policies in place that all employees must read and sign so everyone is aware of company expectations around data security. Make sure you have a robust data backup plan. Enforce policies around applications, firewalls, and all sensitive systems, and train employees to recognize and resist phishing attempts. Enable two-factor authentication, and forbid employees from disabling it. If you don’t have an experienced IT provider, consider consulting with one to make sure all your bases are covered. 

 

Conduct exit interviews. 

Make exit interviews a regular part of employment termination, and review the security policies and procedures surrounding termination in this conversation. Have departing employees return all company devices and delete any company information from personal devices and cloud accounts. While tying up these security details, you can also help create a smoother transition out of the company. 

 

Disable all former employees’ access. 

As soon as an employee becomes a former employee, all their access to company systems should be revoked. Keep a list of all access that needs to be removed or transferred to another user and track your steps as you take them, so the entire process is fully documented. Make sure to remove their contact info from multi-factor authentication and revoke their access to internal email, cloud storage, and shared apps as well as the physical building. 

 

Comprehensive Outsourced IT 

Working with an IT provider is one of the best ways to make sure you’re following best practices when developing and implementing data security policies and procedures. Because you don’t know what you don’t know, you need an expert who will consult with you and identify any holes in your processes. Pendello provides fully managed IT, assessing the systems you have in place, recommending and implementing solutions, and helping your company adapt to the evolving IT landscape. To learn more, browse our online resources.