April 23, 2021 By Mark Stone 4 min read

We all know about the threat of threat actors trying to access our corporate data.  But with the rise of remote work, keeping an eye on employees during offboarding is an important area to watch, as well.

In many cases, employees can still access sensitive data well after they leave the job. This is even more noticeable when they logged in to corporate networks or tools every day while working at home. To prevent these insider threats, a thorough offboarding process is critical.

What Are the Risks?

You’re probably familiar with best practices for digital basics like passwords and general data protection. But sometimes, the most insidious issues arise from those processes we tend to forget about or for which we find ourselves unprepared. These risks can come from either employees in the office or remote workers.

The biggest risk brought about by inadequate offboarding is employees with access to sensitive data they should no longer be able to reach. Unhappy employees (or ex-employees) can do major damage. What if they take your confidential corporate data or intellectual property and sell it on the dark web? How would that affect your company’s brand or customer trust?

What if an employee still has access to servers or apps they could easily take down, resulting in a denial-of-service attack? You may catch on quickly, but every minute counts. What if an employee has access to personally identifiable information about your customers and other employees and chooses to exploit that data?

Especially in today’s stressful times, people’s behavior can be erratic. Getting your offboarding right is a big step in preventing these types of problems.

What About Remote Employees Specifically?

It’s important to recognize that with today’s remote workforce, offboarding tasks can easily be missed. While difficult, the process for offboarding remote employees should be consistent with any other employee.

One thing to watch out for here is employees with cloud or software-as-a-service accounts. Especially with remote employees, it may be easier to miss people with confidential or business-critical data associated with their cloud accounts.

When dealing with numerous remote employees with cloud accounts, you’ll want to ensure you’re on top of the user licensing. Licensing costs can add up. User access can become confusing and may pose a data risk.

Finally, if an in-person exit interview isn’t feasible, conducting the interview via web conference is highly recommended. The closer you get to a face-to-face interaction, the higher the chance of the employee leaving with a positive outlook of the company. Just because the employee is remote doesn’t mean their offboarding should be remote as well.

Basic Offboarding Checklist

The risks outlined above represent the bad news. The good news is an effective offboarding strategy doesn’t have to be complicated. If you properly plan your offboarding process and follow it to the letter, it can be very straightforward.

The best offboarding plans include a checklist that key departments and personnel, such as HR, IT or the security team, can follow. Consistent communication between key personnel is essential. In my experience, as a former security professional with the government, offboarding was a relatively frictionless process because our security team worked hand-in-hand with the IT department and HR department. When HR employees understand how security fits into the offboarding process, they can minimize some risk.

The most important elements to consider in your offboarding strategy include:

Conducting More Thorough Exit Interviews

You’re probably already conducting exit interviews, but are you using the conversations as an opportunity to reiterate the company’s strong stance on data protection? Are you taking the time to remind employees about the penalties for data theft?

Don’t be afraid to take a hard line on security, especially with remote employees. If you reinforce its importance, you can minimize damage. What’s more, treating employees with respect and dignity during the interview goes a long way.

Revoking Access

This is another step that is very likely on your offboarding checklist. You’ll want to disable the accounts right away but need to make sure they are also deleted in good time. If it’s a corporate account not tied to the employee, you’ll need to change the password ASAP.

The question is, do you have a detailed list of every part of the network the remote employee has access to? If access control is documented properly from the beginning and Identity and Access Management (IAM) is well-adopted in your organization, knowing who has access to what resource shouldn’t be a problem. If you handle onboarding and ongoing access properly, offboarding is so much simpler.

What Is Often Forgotten in the Offboarding Process?

Good Asset Management

Keeping an up-to-date inventory of all your assets and endpoints is always a great best practice. Do you have a good Unified Endpoint Management system? If you know what assets an outgoing remote employee has access to or has in their possession (like USB sticks, access fobs, etc.) it’s easier to recoup them when offboarding happens.

Consistent Communication Between Departments

When you’re about to offboard an employee, keep all key personnel that needs to know up to date. Poor communication between team members can cause confusion and rumors.

Timing is key here. What if HR knows that an employee will be let go but the IT or security team isn’t made aware in time? What if other employees start gossiping? This can happen through Slack as well as in an office. If the employee finds out before his or her access is revoked, even a few minutes of access to systems and resources can have serious consequences.

Monitoring for Odd Activity

IT personnel should look for suspicious movement or access leading up to the offboarding date, even if the employee is trustworthy and aware of what’s happening. Log and monitor what they do online at work, including internet activity, app usage, on-premises and remote logins, file transfers and email.

Proactive monitoring may sound draconian, but I’ve seen firsthand that pre-offboard monitoring can catch some problems before they start. Detecting breaches as they happen or preventing them from happening at all is always best.

Zero Trust During Offboarding

Employees should only have access to the devices, networks and resources they need to do their jobs. As such, organizations adopting the zero trust model will be ahead of the game to prevent breaches that result from poor offboarding. With zero trust, all users, devices, applications and processes are limited to the minimum privileges necessary to operate effectively and meet an organization’s digital defense needs.

If your organization has a solid grasp on which users have what access, knows which endpoints are active and secure, and doesn’t have to worry about users with too much access, offboarding a remote employee is simplified. Then you’ll know you’ve covered all your bases, even when it comes to remote personnel who don’t work for you anymore.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today