We all know about the threat of threat actors trying to access our corporate data.  But with the rise of remote work, keeping an eye on employees during offboarding is an important area to watch, as well.

In many cases, employees can still access sensitive data well after they leave the job. This is even more noticeable when they logged in to corporate networks or tools every day while working at home. To prevent these insider threats, a thorough offboarding process is critical.

What Are the Risks?

You’re probably familiar with best practices for digital basics like passwords and general data protection. But sometimes, the most insidious issues arise from those processes we tend to forget about or for which we find ourselves unprepared. These risks can come from either employees in the office or remote workers.

The biggest risk brought about by inadequate offboarding is employees with access to sensitive data they should no longer be able to reach. Unhappy employees (or ex-employees) can do major damage. What if they take your confidential corporate data or intellectual property and sell it on the dark web? How would that affect your company’s brand or customer trust?

What if an employee still has access to servers or apps they could easily take down, resulting in a denial-of-service attack? You may catch on quickly, but every minute counts. What if an employee has access to personally identifiable information about your customers and other employees and chooses to exploit that data?

Especially in today’s stressful times, people’s behavior can be erratic. Getting your offboarding right is a big step in preventing these types of problems.

What About Remote Employees Specifically?

It’s important to recognize that with today’s remote workforce, offboarding tasks can easily be missed. While difficult, the process for offboarding remote employees should be consistent with any other employee.

One thing to watch out for here is employees with cloud or software-as-a-service accounts. Especially with remote employees, it may be easier to miss people with confidential or business-critical data associated with their cloud accounts.

When dealing with numerous remote employees with cloud accounts, you’ll want to ensure you’re on top of the user licensing. Licensing costs can add up. User access can become confusing and may pose a data risk.

Finally, if an in-person exit interview isn’t feasible, conducting the interview via web conference is highly recommended. The closer you get to a face-to-face interaction, the higher the chance of the employee leaving with a positive outlook of the company. Just because the employee is remote doesn’t mean their offboarding should be remote as well.

Basic Offboarding Checklist

The risks outlined above represent the bad news. The good news is an effective offboarding strategy doesn’t have to be complicated. If you properly plan your offboarding process and follow it to the letter, it can be very straightforward.

The best offboarding plans include a checklist that key departments and personnel, such as HR, IT or the security team, can follow. Consistent communication between key personnel is essential. In my experience, as a former security professional with the government, offboarding was a relatively frictionless process because our security team worked hand-in-hand with the IT department and HR department. When HR employees understand how security fits into the offboarding process, they can minimize some risk.

The most important elements to consider in your offboarding strategy include:

Conducting More Thorough Exit Interviews

You’re probably already conducting exit interviews, but are you using the conversations as an opportunity to reiterate the company’s strong stance on data protection? Are you taking the time to remind employees about the penalties for data theft?

Don’t be afraid to take a hard line on security, especially with remote employees. If you reinforce its importance, you can minimize damage. What’s more, treating employees with respect and dignity during the interview goes a long way.

Revoking Access

This is another step that is very likely on your offboarding checklist. You’ll want to disable the accounts right away but need to make sure they are also deleted in good time. If it’s a corporate account not tied to the employee, you’ll need to change the password ASAP.

The question is, do you have a detailed list of every part of the network the remote employee has access to? If access control is documented properly from the beginning and Identity and Access Management (IAM) is well-adopted in your organization, knowing who has access to what resource shouldn’t be a problem. If you handle onboarding and ongoing access properly, offboarding is so much simpler.

What Is Often Forgotten in the Offboarding Process?

Good Asset Management

Keeping an up-to-date inventory of all your assets and endpoints is always a great best practice. Do you have a good Unified Endpoint Management system? If you know what assets an outgoing remote employee has access to or has in their possession (like USB sticks, access fobs, etc.) it’s easier to recoup them when offboarding happens.

Consistent Communication Between Departments

When you’re about to offboard an employee, keep all key personnel that needs to know up to date. Poor communication between team members can cause confusion and rumors.

Timing is key here. What if HR knows that an employee will be let go but the IT or security team isn’t made aware in time? What if other employees start gossiping? This can happen through Slack as well as in an office. If the employee finds out before his or her access is revoked, even a few minutes of access to systems and resources can have serious consequences.

Monitoring for Odd Activity

IT personnel should look for suspicious movement or access leading up to the offboarding date, even if the employee is trustworthy and aware of what’s happening. Log and monitor what they do online at work, including internet activity, app usage, on-premises and remote logins, file transfers and email.

Proactive monitoring may sound draconian, but I’ve seen firsthand that pre-offboard monitoring can catch some problems before they start. Detecting breaches as they happen or preventing them from happening at all is always best.

Zero Trust During Offboarding

Employees should only have access to the devices, networks and resources they need to do their jobs. As such, organizations adopting the zero trust model will be ahead of the game to prevent breaches that result from poor offboarding. With zero trust, all users, devices, applications and processes are limited to the minimum privileges necessary to operate effectively and meet an organization’s digital defense needs.

If your organization has a solid grasp on which users have what access, knows which endpoints are active and secure, and doesn’t have to worry about users with too much access, offboarding a remote employee is simplified. Then you’ll know you’ve covered all your bases, even when it comes to remote personnel who don’t work for you anymore.

More from CISO

How to Solve the People Problem in Cybersecurity

You may think this article is going to discuss how users are one of the biggest challenges to cybersecurity. After all, employees are known to click on unverified links, download malicious files and neglect to change their passwords. And then there are those who use their personal devices for business purposes and put the network at risk. Yes, all those people can cause issues for cybersecurity. But the people who are usually blamed for cybersecurity issues wouldn’t have such an…

The Cyber Battle: Why We Need More Women to Win it

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…