man packing up desk with cardboard box

A Poor Offboarding Process Could Be Exposing You to Cyber Security Threats

When an employee leaves a company, he or she opens the door to a variety of potential cyber threats if offboarding isn’t handled correctly.

This blog identifies the risks and helps you understand what you should be doing to prevent the worst from happening.


A Risk Regardless of Circumstances

Not every employee's departure is the same. Some people quit on their own initiative, while others could quit for poor performance. If offboarding isn't managed properly, these factors may substantially impact the harm they might cause.

A disgruntled employee might destroy files on the network if access hasn’t been cut off—or log in to the system over time to see if anything of value might pop up. An ex-employee with social engineering skills could even con Accounts Payable into wiring money to his or her account.

Even the best former employees can pose security risks if their login credentials are compromised yet still valid. The takeaway here is that any employee, whether great or disgruntled, can put your company at risk if their exit isn’t clean.


Consistency is Key and Takes Collaboration

Offboarding with cyber security in mind should be timely, thorough, and consistent for anyone leaving the organization. This means everyone from upper management to summer interns should be offboarded similarly.

IT should be involved at crucial points in the process, even if human resources usually takes the lead to guarantee that the network, data, and other digital assets of the business are not compromised and that no digital doors are left open when a person departs the company.

If not, missteps can occur, leaving your business vulnerable. A day or two delay in shutting off network access could give an ex-employee with malicious intentions a day or two head start in downloading sensitive files or worse.


Creating an Offboarding Protocol

A typical offboarding checklist might look something like this:

Step One: Notify IT and Security that the employee is leaving. At this point, one should retrieve key cards, any keys that allow physical entry, VPN tokens, and other items that permit access. 

Step Two: Revoke access on all system accounts. This typically starts with company email but can extend to shared drives, cloud storage accounts, and project or data management platforms.

Step Three: Verify that all assets have been collected. Be thorough in your assessment, and don’t ignore or overlook purchases that haven’t been returned.

Step Four: Once an employee has left the organization, periodically audit his or her accounts to ensure no one has accessed them. Keep an eye out for missing files, folders, or unauthorized downloads.
Step Five: Close or terminate any ex-employee accounts after a set time and commit these steps to a policy that can be implemented whenever someone leaves.


Promotions and Transfers 

 An employee may occasionally leave a department or division while still working for the same company. Although it would seem logical to presume that leaving won't put you at a disadvantage, failing to consider this could result in hazards.

For example, a senior employee is transferred to a position with less authority and reduced access to the company network. If access privileges aren't adjusted accordingly, he or she may still be able to collect high-level data.

This may not seem problematic; however, if the transfer was a demotion and the employee harbors negative thoughts or intentions, he or she could expose company data, sell sensitive information to competitors, or sabotage files.

As a result, it's crucial to consider internal transfers as offboarding events as well as make the necessary adjustments even when employees leave for other parts of the business.


IT’s Role 

We touched on IT’s role earlier, but it’s important to note that it occupies a unique space in the offboarding process. It’s the only function to monitor associate activity before, during, and after departure.
Therefore, IT must take a proactive role in monitoring and assessing vulnerabilities that can be exploited when employees depart.

Compared to dealing with ransomware attacks, expensive or crippling data breaches, and other potentially disastrous cyber-attacks, doing so may require allocating more time or employees to the function. However, this additional time is time well spent.