5 IT Risks Your Company Faces When an Employee Leaves
Cybersecurity writer Sue Poremba recently shared an experience that shows how blind many companies are to the IT security risks they face when an employee leaves.
Weeks after quitting a job to take a new position, Poremba needed some information that she thought might be in her email inbox at her former company. Acting on a whim, she tried to log in to that old email account. To her astonishment, not only was she able to access her email, but she found that she still had access to everything on that former employer’s network, including sensitive employee records and company financial information. As Poremba notes, if she had been a vindictive ex-employee, she could have done untold damage to her former company.
This anecdote illustrates how critical it is for businesses concerned about cybersecurity (and that’s every business these days) to understand the risks their IT operation faces when an employee leaves the company, and to have a well thought-out plan in place to deal with those vulnerabilities.
IT risks your company faces when an employee leaves
The fact is, among the largest cybersecurity threats to businesses are employees who are leaving or have left. According to a recent survey from security firm OneLogin, 20% of the responding organizations said they had experienced at least one data breach carried out by a former employee.
Let’s take a look at some specific ways in which employees who leave can pose a risk to the company’s IT assets if their exit is not handled the right way.
1. A departing employee can still access their IT accounts.
As Sue Poremba’s experience illustrates, this is not an infrequent occurrence. According to the OneLogin study, 48% of the organizations surveyed acknowledged that former employees still had access to their networks.
2. A former employee could use shared login credentials to access other accounts.
Even when the personal accounts of an employee who is leaving are shut down or locked, they are sometimes able to access company systems using credentials that were shared among several workers. In one study, 49% of employees surveyed said they had shared their network login information with co-workers.
3. The employee has confidential or sensitive company data on a personal device.
In these days of BYOD (Bring Your Own Device), it’s not unusual for employees to access company information using their own personal devices. If sensitive data was downloaded to the device, there’s a significant exposure to the loss or misuse of that information.
4. Information in the employee’s files may be lost.
Important information concerning a departing employee’s projects or customer contacts may be stored in personal files or folders on the system. In many cases, no one else in the company is aware of the location or significance of these files, and the information they contain may be effectively lost.
5. A vindictive employee may attempt to sabotage the company’s IT systems.
It has often happened that in the interval between the time when an employee decides to leave or is terminated, and the time when access to company systems is cut off, disgruntled workers have attempted to do as much damage as possible to the company by sabotaging its IT operations.
How to minimize the risk factor when an employee leaves
To minimize the risks to your company’s IT systems when an employee leaves, it’s vital for HR and IT to work together. Here are six steps that should be taken:
1. Notify IT immediately.
When HR becomes aware that an employee is leaving for whatever reason, one of its first steps should be to notify IT so that immediate steps can be taken to appropriately limit that person’s access to company systems and data.
2. Identify any personal files or records that must be preserved.
HR and IT should work out a process by which the departing employee is interviewed to determine how their files, documents, and other assets hosted on company systems can be identified and preserved.
Rather than shutting down the employee’s email and voice mail accounts immediately, you may want to see that they are either automatically redirected, or that someone is appointed to monitor them for a time to respond to any important incoming messages.
3. Delete or revoke access to the employee’s accounts.
Login credentials, including user IDs and passwords, to the employee’s accounts should be canceled at the appropriate time. If the worker is being terminated, this should be done immediately. If the departure is amicable, and the employee will stay on the job for a period after giving notice, HR and IT should work together to establish a phased schedule for revoking those privileges.
4. Retrieve any company devices the employee may have.
You should, of course, have records of any company-owned devices the employee may have in their possession, such as laptops, tablets, and smartphones. Items that sometimes aren’t logged but which may contain large amounts of company-confidential information are USB flash drives. All these devices, and any data they contain, must be retrieved.
5. Wipe company data from the employee’s personal devices.
If the employee has been using their personal devices for work (or if you will allow them to keep a company-owned device), you must insure that any sensitive company data is removed. The process for doing this should have been agreed to by the employee at the time they were authorized to use those devices on the job. This sometimes involves use of Mobile Device Management (MDM) software to remotely wipe company data from the employee’s device.
Don’t forget to check whether files from your cloud storage service, such as Dropbox or Google Drive, are being shared to the employee’s laptop or home computer.
6. Audit the exit process.
Someone, probably in HR, should be appointed to audit the exit process to ensure that all steps are completed appropriately. That’s the best way to ensure you won’t have your own Sue Poremba who, weeks or months after they leave the company, discover that they can still get into your IT systems.
Should you partner with your MSP to handle IT exit procedures?
Many companies have found that their IT Managed Services Provider (MSP) is better positioned than their in-house IT staff to handle the technical aspects of offboarding a departing employee. The MSP will have a well-defined checklist of actions that must be taken to ensure all access permissions are revoked and that the employee’s devices, whether on-premises or remote, are blocked from accessing company systems. They will also know how to ensure that the employee’s files are appropriately preserved, and that any data residing on personal devices is completely and permanently removed.
If you’d like to know more about how to minimize your IT risks when an employee leaves, please contact us.