How to Protect Company Data & Assets When Employees Leave

Published

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The Great Resignation has left many companies reeling, experiencing a higher turnover rate than ever before. And while this is causing major problems for HR, it could also lead to underlying security issues.

Employees carry with them a lot of knowledge about how to access company systems, and that knowledge doesn’t just go away when they leave. Around 58 percent of IT and security professionals are concerned about the knowledge former employees have about accessing company infrastructure. So how can businesses protect themselves?

Create an Offboarding Checklist

Unlike onboarding, offboarding typically isn’t a planned experience, and it can be difficult to remember all of the steps you need to take while also trying to replace the person who is leaving. Unfortunately, this means security can fall through the cracks. Make an offboarding checklist of everything you need to do when an employee leaves: access you need to revoke, devices you need to reclaim and wipe, stakeholders you need to notify, etc.

Depending on the level of the employee leaving (individual contributor, manager, or executive), you’ll have different steps you need to follow. It can help to separate the list into sections covering steps you do for everyone, steps you only need to take if the former employee was management, and what to do if they were an executive. Plus, some employees may fall between categories. Having all of the steps in front of you will remind you what you need to check on.

Here are some of the tasks that should be a part of your offboarding checklist.

Revoke Access to Company Assets

One of the first things you need to do when employees leave is to revoke their access to company systems, even if they left on good terms. Change shared passwords, close their employee accounts, and take their email address off of any correspondence lists.

Brendan O’Connor, CEO and co-founder of AppOmni, a SaaS security management vendor, says, “This may sound obvious, but it’s shocking how often terminated employees retain access to systems and data long after they’ve left the company. And the issue has become more prevalent since SaaS applications like Microsoft 365 and GSuite are now more commonly used than software downloaded onto a device.”

Where before, employees could only access company data through company devices, bring your own device (BYOD) policies and remote work mean that’s no longer the case. Now, employees can access data and applications from their personal devices. If employers don’t revoke their access after they leave, they can take the information with them to their next role, which could have devastating effects, especially if they go to a competitor.

Also Read: IoT Devices a Huge Risk to Enterprises

Remove Third-Party Accounts

Internal accounts may seem obvious, but employees also have access to tons of third-party applications that contain company data, including apps like Salesforce, Hubspot, and monday.com. “AppOmni’s data shows that, on average, enterprises have more than 42 distinct third-party applications connecting into their business-critical SaaS environments,” says O’Connor, noting also that those applications “can serve as a backdoor to confidential information in SaaS systems.”

Third-party applications host a wealth of valuable company information that businesses might often forget about. O’Connor says, “These apps are a key part of any enterprise cloud ecosystem and might include software for online document signing, email management, marketing automation, competitive information, and a wide variety of other use cases.” He explains that the solution is automated security tools that can monitor the usage and permissions of these third-party applications, preventing former employees from gaining access.

Also Read: Zoom Security Issues Are a Wakeup Call for Enterprises

Factory Reset Devices

If your company provides cellphones or laptops, upload any necessary files to the cloud once you get the device back and then restore it to factory settings. Malware can hide in devices for months or even years before executing its attack, and there’s no way to know what your former employee may have downloaded onto the device. Typically, a factory reset can remove any viruses or malware, unless they infected the data rather than the machine.

It’s a good idea to quarantine the files you take from these devices before mixing them with other company documents, giving your security team time to analyze them for threats.

Retain Institutional Knowledge

The Great Resignation is also having a major impact on cybersecurity teams, which are already overburdened thanks to the shift to SaaS and remote work and are now also losing staff. O’Connor says, “When security practitioners leave, they often take institutional knowledge with them, forcing teams to re-learn or re-establish critical processes. Or even worse, teams can be left performing legacy security processes without knowing the “how” or “why” they are being done.”

Leaders need to work on retaining that institutional knowledge through detailed process documentation, cross-training, and workforce assessments. They need to have an understanding of what each employee is responsible for and who could take over for them if they were to leave suddenly. Otherwise, they’ll be scrambling when it inevitably happens, leaving their business vulnerable to security threats. In addition to better training and documentation, data loss prevention (DLP) software can also help companies retain institutional knowledge.

Also Read: A New Approach to Finding Cybersecurity Talent: A Conversation with Alan Paller

Your Security Isn’t the Top Concern of Former Employees

Even when employees leave on good terms and especially when they don’t, the security of your business isn’t going to be their top concern. They may not do anything to intentionally cause harm, but breaches happen all the time, including when companies are actively trying to prevent them. Until you revoke their access to all your internal systems and get their company-owned devices back, former employees will remain a liability for your company.

To learn more about protecting your company from cyberthreats, check out our article on the Top Cybersecurity Companies.

Jenn Fulmer Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required