Security management for departing employees—whether it is of their own accord or the organization’s—is critical to reduce risks. Most companies have a poor or nonexistent off-boarding process. Aberdeen, a consulting firm, estimates that only 29% of businesses have a formal off-boarding process, which does not bode well for their IT security.
The end result? According to Infosecurity Magazine, as many as 72% of departing employees admit to taking company data and 70% of intellectual property theft occurs within the 90 days of an employee’s resignation or layoff.
Another study shows that a whopping 89% of workers still have access to a previous employer’s credentials. That poses huge cybersecurity issues for a company’s long-term viability.
Let’s take a look at the security management risks when an employee is improperly off-boarded.
What are the security management risks when an employee leaves?
Loss of data: Former employees who have access to data can willingly or inadvertently delete, copy, modify or damage data that is critical to your company’s business continuity. Operations and processes can come to a standstill due to a loss of data, mounting the costs associated with data recovery and managing the ripple effects.
Confidentiality and data breaches: Today’s hyper-competitive market for qualified labor means that if an employee leaves an organization, they may likely scout out opportunities with competitors. Imagine a disgruntled employee providing confidential information, proprietary knowledge, customer lists, contracts, or even programming code to your competition. Stealing or selling intellectual property/sensitive personal identifiable information (PII) for financial gain, otherwise known as data exfiltration, occurs more often than companies realize. The costs of data and confidentiality breaches are well-documented each year with IBM’s annual reports.
Compliance and regulatory violations: As a segue from data loss, former employees who can still access and leak mission-critical data can inevitably lead to compliance failures and legal penalties. A study by Ponemon shows that the cost of insider threats jumped 31% in just two years, totalling $11.45 million in 2020 alone.
Damaged reputation: Security management issues can substantially damage a company’s reputation. A Forbes Insight report found that 46% of organizations have suffered reputational damage as a result of a data breach. Even more alarming: PricewaterhouseCoopers (PwC) reported that 87% of customers are “willing to leave a company who goes through a data breach.”
Profit-gouging costs: When employees leave a business, there can be a lot of wasted spend that may fall off the radar. For example, former staff can continue to consume software licenses or other IT services. When left unchecked, the costs can really add up if they are left undetected for months and even years.
Subscribe to The S3 Blog
"*" indicates required fields
How can a company improve security management when an employee departs?
Security management and cybersecurity policies must become a top priority for companies—even those that enjoy a stable workforce as economic ebbs and flows may incite dismissals or employees to give in their resignations for perceived greener pastures.
Regardless of whether you are dealing with a high-risk termination or saying farewell to a beloved staff member, IT security cannot be ignored. Your in-house or outsourced IT security services must be part of your company’s overall approach to security management
To start, work with your IT security team to develop a comprehensive security management plan, which includes policies and procedures with respect to multi-factor authentication (MFA), regular backups of all systems, password rotation, and acceptable use rules for employees, regardless of their pay grade.
In addition, work with your IT security experts to assess the security of your current infrastructure, network, devices and applications. Invest in the latest technologies to safeguard your data and sensitive information; don’t relegate these investments off until “next year’s budget.”
Finally, re-evaluate your personnel’s off-boarding processes with both your IT security and HR teams. Put as much effort into off-boarding employees as you do on-boarding them.
Think of best- and worst-case scenarios and plan accordingly, from which teams need to be informed of an employee departure to the concrete steps to be taken as the person gears up to leave.
Contingency plans should also be elaborated and documented to mitigate the security management problems that can arise during cessation of employment.
Finally, based on local and federal legislation as well as corporate policies, regularly monitor employee computer activity for anomalous behaviour: remote access logs, use of unknown devices, access via new locations, information being forwarded to personal accounts, file transfers, etc.
An employee is leaving. What should the IT security team do?
On good terms. On bad terms. It’s never easy to strike the delicate balance between respecting a former employee and ensuring effective security management.
We’ve put a checklist of what your IT security should consider as before, during and after the termination meeting/exit interview. In both cases, the exiting employee should be made aware of the steps your IT security team will take to avoid any misconceptions or frustrations.
- Establish a timeline of each step your IT security team will have to carry out up to the days following the last day of employment
- Disable multi-factor authentication and change the employee’s passwords for all applications, including business-critical tools and apps that can sync data to personal devices, like file hosting services
- Transfer any email and application accounts to the employee’s supervisor or department head
- Revoke access to the employee’s computer account, VPN/remote access, web-meeting and collaboration accounts, voicemail system, corporate network, social media accounts, database accounts, entry codes to your office, etc.
- Recover all equipment, including desktop computers, mobile phones, tablets, USB drives, external hard drives, etc. Don’t forget any electronic access badges, too.
- Conduct an inventory of all the software licences and apps the employee had; cancel any subscriptions or earmark them for new hires
Security management for current and past employees should never be taken lightly. With the right strategy and proactive planning, IT security teams can eliminate vulnerabilities to a company’s operations.