Three years after I left my former job, I got an official letter telling me the organization suffered a data breach. My personal information was at risk of identity theft. I shouldn’t have been surprised. That job’s offboarding process hadn’t been the best. For years after leaving, I had access to my email and to databases filled with sensitive data. While the cause of this data breach was never revealed, it could have very well been a former employee with a grudge, someone who had the same easy access I did. 

The employee offboarding policy and process is usually handled by human resources and the employee’s bosses. Maybe legal gets involved if there is something nefarious happening. IT and cybersecurity are an afterthought, if decision-makers even consider them at all. Even if you take away the former employee’s physical access — the keys, the badge — they may still be able to log in to the network, putting the company at risk of data breaches and putting them in violation of privacy compliance.

Before an employee goes through the final offboarding process with HR, IT and security teams should begin the process of deleting the out-going employee from network access.

Why Deleting a Former Employee’s Digital Profile Matters

The vast majority of people are good. When they leave a company — or move from one department to another — they have little interest in looking back at the offboarding process. They may not even notice they might still have access. Maybe they’ll look to see if they still have email access, but only to see if there is something important they may have missed.

But, not everyone is a good person. People will leave with bridges burned, some looking for revenge and some wanting to steal intellectual property. As long as that former employee has access to the network and data due to poorly secured offboarding, they are an insider threat.

According to the 2020 Insider Threat Report by Cybersecurity Insiders, 63% of respondents said those with privileged access pose the greatest risk to the organization. A single incident caused by an insider (or someone who continues to have the privileges of an insider) costs a company $750,000 in total including investigation, response and mediation, according to the Ponemon Institute.

Good Offboarding Helps Your Organization Overall 

Continued access, however, is only one threat to the organization’s security posture. Continuing to have data belonging to former employees mixed with current employees adds to the risks and costs if there is a data breach. Chances are, too, that you don’t silo former employees’ data in one location, but disperse it throughout the company in multiple databases and files.

Is all that information necessary? Rather than keep only what they need and deleting the rest, many organizations leave data to linger indefinitely. With data privacy regulations and compliances, organizations need a better assessment of and security over old data. Offboarding should include deleting any former cloud accounts accessed by the former employee so the company is no longer charged for the usage and the data doesn’t linger out in the open.

The former employee needs to hold up their end, too. They should delete any company apps on personal devices right away. Without access or reason to upgrade these apps, there is always the chance the user has never really logged off and is opening up opportunities for an infected device to infect the corporate infrastructure.

Create an Employee Offboarding Process

Your organization’s HR department likely has an offboarding process. That process should include IT and security personnel from the very beginning. Their role in the offboarding process should begin as soon as notice is given or as plans are in place to terminate an employee. IT and security should work together to create a checklist of their offboarding responsibilities, which should include the following:

1. Create an inventory of the employee’s digital life in the company. There should be a record of every company device in the employee’s possession, accounts they have access to and any admin permissions and responsibilities. The more that is known about the employee’s digital footprint, the easier it will be to delete it.

2. Set deadlines. Working with the employee’s manager, IT can set up specific times to delete access to accounts or have devices returned. At this point, the employee should only be able to access the data they are currently using to finish up projects. Also, begin to revoke software licenses for the outgoing user.

3. Audit what users do. Security should keep watch over network activity to ensure the employee isn’t downloading a high volume of files or moving them to personal clouds.

4. Deploy a data management solution that can easily silo employee data that must be retained.

5. Delete the employee’s access before they leave the building for the last time. Whether it is during the exit interview or the goodbye party, access to email, software, cloud services, apps and other digital properties should be removed.

6. Create a thorough list of digital devices to make sure everything has been recovered.

7. Shut access to any apps on personal devices.

8. Change passwords and set up forwarding for email and voicemail. 

9. Use a zero trust model for security. Once the person leaves, security should consider a zero trust model (if it isn’t used already) as part of the offboarding process. They should also assume that any attempt to log in is a potential threat that means action is required. 

Close the Door Behind You 

Good offboarding is like closing the door of a safe. Doing at least some of these things should help make sure your employees don’t end up in the same position I did. An employee should leave the company with the exact same amount of digital access with which they arrived — none.

More from Zero Trust

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Zero trust data security: It’s time to make the shift

4 min read - How do you secure something that no longer exists? With the rapid expansion of hybrid-remote work, IoT, APIs and applications, any notion of a network perimeter has effectively been eliminated. Plus, any risk inherent to your tech stack components becomes your risk whether you like it or not. Organizations of all sizes are increasingly vulnerable to breaches as their attack surfaces continue to grow and become more difficult — if not impossible — to define. Add geopolitical and economic instability…

How zero trust changed the course of cybersecurity

4 min read - For decades, the IT industry relied on perimeter security to safeguard critical digital assets. Firewalls and other network-based tools monitored and validated network access. However, the shift towards digital transformation and hybrid cloud infrastructure has made these traditional security methods inadequate. Clearly, the perimeter no longer exists. Then the pandemic turned the gradual digital transition into a sudden scramble. This left many companies struggling to secure vast networks of remote employees accessing systems. Also, we’ve seen an explosion of apps,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today