Three years after I left my former job, I got an official letter telling me the organization suffered a data breach. My personal information was at risk of identity theft. I shouldn’t have been surprised. That job’s offboarding process hadn’t been the best. For years after leaving, I had access to my email and to databases filled with sensitive data. While the cause of this data breach was never revealed, it could have very well been a former employee with a grudge, someone who had the same easy access I did. 

The employee offboarding policy and process is usually handled by human resources and the employee’s bosses. Maybe legal gets involved if there is something nefarious happening. IT and cybersecurity are an afterthought, if decision-makers even consider them at all. Even if you take away the former employee’s physical access — the keys, the badge — they may still be able to log in to the network, putting the company at risk of data breaches and putting them in violation of privacy compliance.

Before an employee goes through the final offboarding process with HR, IT and security teams should begin the process of deleting the out-going employee from network access.

Why Deleting a Former Employee’s Digital Profile Matters

The vast majority of people are good. When they leave a company — or move from one department to another — they have little interest in looking back at the offboarding process. They may not even notice they might still have access. Maybe they’ll look to see if they still have email access, but only to see if there is something important they may have missed.

But, not everyone is a good person. People will leave with bridges burned, some looking for revenge and some wanting to steal intellectual property. As long as that former employee has access to the network and data due to poorly secured offboarding, they are an insider threat.

According to the 2020 Insider Threat Report by Cybersecurity Insiders, 63% of respondents said those with privileged access pose the greatest risk to the organization. A single incident caused by an insider (or someone who continues to have the privileges of an insider) costs a company $750,000 in total including investigation, response and mediation, according to the Ponemon Institute.

Good Offboarding Helps Your Organization Overall 

Continued access, however, is only one threat to the organization’s security posture. Continuing to have data belonging to former employees mixed with current employees adds to the risks and costs if there is a data breach. Chances are, too, that you don’t silo former employees’ data in one location, but disperse it throughout the company in multiple databases and files.

Is all that information necessary? Rather than keep only what they need and deleting the rest, many organizations leave data to linger indefinitely. With data privacy regulations and compliances, organizations need a better assessment of and security over old data. Offboarding should include deleting any former cloud accounts accessed by the former employee so the company is no longer charged for the usage and the data doesn’t linger out in the open.

The former employee needs to hold up their end, too. They should delete any company apps on personal devices right away. Without access or reason to upgrade these apps, there is always the chance the user has never really logged off and is opening up opportunities for an infected device to infect the corporate infrastructure.

Create an Employee Offboarding Process

Your organization’s HR department likely has an offboarding process. That process should include IT and security personnel from the very beginning. Their role in the offboarding process should begin as soon as notice is given or as plans are in place to terminate an employee. IT and security should work together to create a checklist of their offboarding responsibilities, which should include the following:

1. Create an inventory of the employee’s digital life in the company. There should be a record of every company device in the employee’s possession, accounts they have access to and any admin permissions and responsibilities. The more that is known about the employee’s digital footprint, the easier it will be to delete it.

2. Set deadlines. Working with the employee’s manager, IT can set up specific times to delete access to accounts or have devices returned. At this point, the employee should only be able to access the data they are currently using to finish up projects. Also, begin to revoke software licenses for the outgoing user.

3. Audit what users do. Security should keep watch over network activity to ensure the employee isn’t downloading a high volume of files or moving them to personal clouds.

4. Deploy a data management solution that can easily silo employee data that must be retained.

5. Delete the employee’s access before they leave the building for the last time. Whether it is during the exit interview or the goodbye party, access to email, software, cloud services, apps and other digital properties should be removed.

6. Create a thorough list of digital devices to make sure everything has been recovered.

7. Shut access to any apps on personal devices.

8. Change passwords and set up forwarding for email and voicemail. 

9. Use a zero trust model for security. Once the person leaves, security should consider a zero trust model (if it isn’t used already) as part of the offboarding process. They should also assume that any attempt to log in is a potential threat that means action is required. 

Close the Door Behind You 

Good offboarding is like closing the door of a safe. Doing at least some of these things should help make sure your employees don’t end up in the same position I did. An employee should leave the company with the exact same amount of digital access with which they arrived — none.

More from Zero Trust

SOAR, SIEM, SASE and Zero Trust: How They All Fit Together

Cybersecurity in today’s climate is not a linear process. Organizations can’t simply implement a single tool or strategy to be protected from all threats and challenges. Instead, they must implement the right strategies and technologies for the organization’s specific needs and level of accepted risks. However, once the dive into today’s best practices and strategies begins, it’s easy to quickly become overwhelmed with SOAR, SIEM, SASE and Zero Trust —  especially since they almost all start with the letter S.…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

What to Know About the Pentagon’s New Push for Zero Trust

The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations. But first, let’s review this zero trust business. What is Zero Trust? Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer. It’s not about whether a person or…