- 16th December 2022
- Posted by: Phil Aston
- Category: cybersecurity
Digital footprints cover today’s modern workplace. Employees begin making these the moment they’re hired. They get a company email address and application logins. They may even update their LinkedIn page to connect to your company.
When an employee leaves a company, a process needs to happen. The process is to “decouple” the employee from the company’s technology assets and is essential to remain cyber secure.
As unlikely as it is, you don’t want a former disgruntled employee to maliciously email your customers from their work email. Sensitive files left on a former staffer’s computer could leak months later with disastrous consequences.
20% of surveyed businesses have experienced a data breach connected to a former employee.
Digital offboarding entails revoking privileges to company data, and much more. This is a critical process to go through for each former staff member to reduce risk.
Below, we’ve provided a handy checklist to help you cover all your bases.
Communication needs to be a top priority
You must be attentive and react as soon as the offboarding process begins (yes, it starts once an employee announces that they’re leaving). It’s best to react quickly and to set things out in clear agreed terms.
- When is the employee’s last day?
Agree on and document it. Are they going on immediate garden leave or will they be handing over and leaving when they’ve served their notice?
- Who’s taking over responsibilities?
There’s often a gap between someone leaving and a replacement getting hired. Make sure support is in place and clear processes.
- When will the job opening be posted and where?
Don’t post the job opening before finalising details with the employee.
A quick response will make the whole process more smooth, and eliminate any gossip or speculation about why the person is leaving.
Vast corporate knowledge can disappear when a person leaves an organisation. It’s important to capture this during a digital offboarding process. Make sure to do a knowledge download with an employee during the exit interview. Better yet, have all staff regularly document and update procedures and workflows. This makes the knowledge available if the employee is ever not there to perform those tasks.
Address social media connections to the company
Address any social media connections to the former employee. Is their personal Facebook user account an admin for your company’s Facebook page? Do they post on your corporate LinkedIn page? It’s important to separate these early on.
Identify all apps and logins the person has been using for work
Hopefully, your HR or IT department will have a list of all the apps and website logins that an employee has. It should be managed in a secure password system. But you can’t assume this. Employees often use unauthorised cloud apps to do their work. This is usually done without realising the security consequences.
Make sure you know of any apps that the employee may have used for business activities. You will need to address these. Either change the login if you plan to continue using them, or you may want to close them altogether after exporting company data.
Maintain a list of technology assets and recover them
Make sure you have a current list of all the technology assets that are in the custody of leaving employees. These may include the following:
Devices like laptops, personal computers, iPads, and company-issued smartphones.
Auxiliary technology assets such as keyboards, monitors, mice, printers, headphones, etc.
- Network assets
Especially relevant for remote employees, these may consist of USB dongles and routers or switches for home.
License seats of the software applications used by employees. For example, a graphic designer may have license seats for the entire Adobe software suite.
Website URLs in the custody of an employee. Let’s say, the Vice President of Engineering may have custody of your website’s testing domain.
Make sure to recover any company-owned devices from the employee’s home. Remote employees are often issued equipment to use so make sure it’s all retrieved.
Recover data on employee personal devices
Many companies use a bring your own device (BYOD) policy. It saves money, but this can make offboarding more difficult. You need to ensure you’ve captured all company data on those devices. If you don’t already have a backup policy in place for this, now is a good time to create one!
Change Email Passwords
Changing the employee’s email password should be one of the first things you do. This keeps a former employee from getting company information and prevents them from emailing as a representative of the company.
Change Employee Passwords for Cloud Business Apps
Change all other app passwords. Remember that people often access business apps on personal devices. So, just because they can’t access their work computer any longer, doesn’t mean they can’t access their old accounts. Consider whether they use 2FA and the impacts of this.
Transfer data ownership & close employee accounts
Don’t keep old employee cloud accounts open indefinitely. Choose a user account to transfer their data to and then close the account. Leaving unused employee accounts open is an invitation to a hacker. With no one monitoring the account, breaches can happen. A criminal could gain access and steal data for months unnoticed.
Revoke access by employee’s devices to your apps and network
Using an endpoint device management system, you can easily revoke device access. It’s important to remove the former employee’s device from any approved device list in your system.
Change any building digital passcodes
Don’t forget about physical access to your building. If you have any digital gate or door passcodes, be sure to change these so the person can no longer gain access. Don’t forget to remove keycard access and passcodes, and retrieve any keys they may have for accessing the building.
What are the benefits of having an offboarding process in place?
It improves security
Removing this access ensures only current employees can access the business’s files. Restricting access to current employees reduces the risk of data breaches and security threats.
It improves employee confidence
Employees feel more confident in an organisation that demonstrates successful offboarding processes. Employees respect the business when these processes are easily executed and empathetic.
It can boost productivity
A clear, well-executed process to offboard employees can help team members be more productive when colleagues leave. For example, a key part of the process is transferring knowledge from the departing employee to colleagues taking over their duties. The employees staying with the organisation can be more productive when they understand their departing colleague’s processes and progress towards deadlines.
It makes complying with regulations easier
A clear process to offboard employees that’s well executed every time helps organisations comply with industry recommendations and regulations. Good practices that offboard employees help organisations comply with requirements and compliance improves the organisation’s reputation and reduces the risk of penalties.
It helps organisations learn and improve
An exit interview is a key part of an effective process to offboard employees. This interview gives organisations the chance to learn from their departing employees. People often speak more honestly when they’re departing an organisation, especially if they have critical feedback. Learning more about a departing employee’s role and experiences helps organisations improve their corporate culture and operations.
If you’re ready to be cyber secure, download our complete offboarding checklist to make sure you haven’t missed anything!