8 steps to secure your business during employee offboarding
Imagine this: every year, up to 17 employees leave your 100-person company. Within a half-decade, you could be replacing your entire workforce. That's the reality facing businesses today, with the average employee turnover rate for U.S. businesses reaching 17.3 percent, Canada at 15.5 percent, and Australia at 14 percent in 2023.
Despite these turnover rates, 71 percent of organizations lack a structured offboarding process. This lack of planning can have serious security consequences, as 20 percent of businesses have experienced data breaches linked to former employees. This oversight highlights why 76 percent of IT leaders consider offboarding a significant security threat.
The Security Imperatives of Employee Offboarding
When an employee leaves, lingering access to sensitive data is a significant security risk. A disgruntled ex-employee could maliciously leak or sell valuable information. Even a well-meaning but careless former team member could leave company data vulnerable on an old laptop. This threat is especially dangerous for companies in highly regulated industries like finance, healthcare, and technology, where data breaches can incur hefty fines and legal repercussions.
Too many companies have inconsistent offboarding processes that leave holes in their security posture. Offboarding needs to be treated with the same rigor as onboarding new employees. You wouldn't leave your house keys with someone who no longer lives there, so don’t let departing employees hold onto digital keys that could compromise your security.
Comprehensive Offboarding Procedures to Revoke Access Promptly
To ensure security upon an employee’s departure, organizations should:
- Immediately Revoke Access: As soon as an employee's departure is confirmed, HR should initiate a protocol to revoke all digital access. This includes network accounts, cloud services, VPNs, databases, code repositories, enterprise applications, and communication tools.
- Maintain a Comprehensive Checklist of Assets: Develop a thorough checklist that itemizes all the assets in an employee’s possession, including physical and digital. This should be cross-checked by HR and IT to ensure all accesses are identified and can be promptly revoked.
- Ensure Timely Return of Physical and Digital Assets: Secure the timely return of all keys, access cards, badges, computers, phones, and other company-owned devices, as well as wipe data per company security policies. If the employee brought their own device to work, remotely wipe any company data from those personal devices.
- Communicate with Service Providers: If the employee had access to third-party services, communicate with providers to ensure access is terminated. It’s common to overlook such accounts, but they often contain sensitive data.
- Delegate Email and Document Ownership: Establish a plan for the departing employee’s email account and documents. Delegate access to a manager or successor where necessary and archive content in accordance with company policy and compliance requirements.
- Establish Clear Transition of Roles and Responsibilities: Ensure there is a clear transition plan for the departing employee's roles and responsibilities. This should be communicated across departments to avoid confusion and potential security gaps. Update any documentation, wikis, org charts, and process flows they contributed to with their departure.
- Monitor Post-Exit Access: Utilize tools to monitor for any attempts to access company systems post-exit. Such tools can send alerts if a deactivated account is being used, indicating a security threat.
- Integration of IT and HR Systems: Ensure HR systems are integrated with IT security measures. When an employee is marked for offboarding in the HR system, IT should automatically receive a notification to begin the process of revoking access.
Maintaining Continuous Vigilance
To ensure a secure employee offboarding process, conducting regular audits to address "access creep" and discrepancies in access rights is essential. Segregating duties and regular monitoring of access privileges help mitigate risks from both external and internal threats.
Educating HR and IT staff about potential access points and automating the revocation process is key to a comprehensive offboarding strategy. Training on automated tools and preparing for incomplete offboarding through incident response plans ensures teams are ready for even the most complex offboarding scenarios. Organizations must also stay up to date with regulatory changes in data privacy and cybersecurity to ensure offboarding practices remain compliant.
In a world of remote work, BYOD policies, and increased workforce mobility, the offboarding process is more complex than ever. By making offboarding a rigorous, collaborative discipline within HR and IT operations, damaging and costly data breaches can be avoided, protecting the most vital corporate assets.
Image credit: ijeab/depositphotos.com
Craig Davies is Chief Information Security Officer at Gathid. He has over 25 years’ experience in technology and cybersecurity, with a focus on growth and governance that enables companies to thrive. As the first CEO of the Australian Government’s Cybersecurity Growth Network (AustCyber), Craig set out a plan to make Australia a global force in the cybersecurity market. He was the Head of Security at Atlassian, both before and during their IPO, where he developed and led their security program. Prior to this, Craig was the Chief Security Officer at Cochlear.