April 23, 2021 By Mark Stone 4 min read

We all know about the threat of threat actors trying to access our corporate data.  But with the rise of remote work, keeping an eye on employees during offboarding is an important area to watch, as well.

In many cases, employees can still access sensitive data well after they leave the job. This is even more noticeable when they logged in to corporate networks or tools every day while working at home. To prevent these insider threats, a thorough offboarding process is critical.

What Are the Risks?

You’re probably familiar with best practices for digital basics like passwords and general data protection. But sometimes, the most insidious issues arise from those processes we tend to forget about or for which we find ourselves unprepared. These risks can come from either employees in the office or remote workers.

The biggest risk brought about by inadequate offboarding is employees with access to sensitive data they should no longer be able to reach. Unhappy employees (or ex-employees) can do major damage. What if they take your confidential corporate data or intellectual property and sell it on the dark web? How would that affect your company’s brand or customer trust?

What if an employee still has access to servers or apps they could easily take down, resulting in a denial-of-service attack? You may catch on quickly, but every minute counts. What if an employee has access to personally identifiable information about your customers and other employees and chooses to exploit that data?

Especially in today’s stressful times, people’s behavior can be erratic. Getting your offboarding right is a big step in preventing these types of problems.

What About Remote Employees Specifically?

It’s important to recognize that with today’s remote workforce, offboarding tasks can easily be missed. While difficult, the process for offboarding remote employees should be consistent with any other employee.

One thing to watch out for here is employees with cloud or software-as-a-service accounts. Especially with remote employees, it may be easier to miss people with confidential or business-critical data associated with their cloud accounts.

When dealing with numerous remote employees with cloud accounts, you’ll want to ensure you’re on top of the user licensing. Licensing costs can add up. User access can become confusing and may pose a data risk.

Finally, if an in-person exit interview isn’t feasible, conducting the interview via web conference is highly recommended. The closer you get to a face-to-face interaction, the higher the chance of the employee leaving with a positive outlook of the company. Just because the employee is remote doesn’t mean their offboarding should be remote as well.

Basic Offboarding Checklist

The risks outlined above represent the bad news. The good news is an effective offboarding strategy doesn’t have to be complicated. If you properly plan your offboarding process and follow it to the letter, it can be very straightforward.

The best offboarding plans include a checklist that key departments and personnel, such as HR, IT or the security team, can follow. Consistent communication between key personnel is essential. In my experience, as a former security professional with the government, offboarding was a relatively frictionless process because our security team worked hand-in-hand with the IT department and HR department. When HR employees understand how security fits into the offboarding process, they can minimize some risk.

The most important elements to consider in your offboarding strategy include:

Conducting More Thorough Exit Interviews

You’re probably already conducting exit interviews, but are you using the conversations as an opportunity to reiterate the company’s strong stance on data protection? Are you taking the time to remind employees about the penalties for data theft?

Don’t be afraid to take a hard line on security, especially with remote employees. If you reinforce its importance, you can minimize damage. What’s more, treating employees with respect and dignity during the interview goes a long way.

Revoking Access

This is another step that is very likely on your offboarding checklist. You’ll want to disable the accounts right away but need to make sure they are also deleted in good time. If it’s a corporate account not tied to the employee, you’ll need to change the password ASAP.

The question is, do you have a detailed list of every part of the network the remote employee has access to? If access control is documented properly from the beginning and Identity and Access Management (IAM) is well-adopted in your organization, knowing who has access to what resource shouldn’t be a problem. If you handle onboarding and ongoing access properly, offboarding is so much simpler.

What Is Often Forgotten in the Offboarding Process?

Good Asset Management

Keeping an up-to-date inventory of all your assets and endpoints is always a great best practice. Do you have a good Unified Endpoint Management system? If you know what assets an outgoing remote employee has access to or has in their possession (like USB sticks, access fobs, etc.) it’s easier to recoup them when offboarding happens.

Consistent Communication Between Departments

When you’re about to offboard an employee, keep all key personnel that needs to know up to date. Poor communication between team members can cause confusion and rumors.

Timing is key here. What if HR knows that an employee will be let go but the IT or security team isn’t made aware in time? What if other employees start gossiping? This can happen through Slack as well as in an office. If the employee finds out before his or her access is revoked, even a few minutes of access to systems and resources can have serious consequences.

Monitoring for Odd Activity

IT personnel should look for suspicious movement or access leading up to the offboarding date, even if the employee is trustworthy and aware of what’s happening. Log and monitor what they do online at work, including internet activity, app usage, on-premises and remote logins, file transfers and email.

Proactive monitoring may sound draconian, but I’ve seen firsthand that pre-offboard monitoring can catch some problems before they start. Detecting breaches as they happen or preventing them from happening at all is always best.

Zero Trust During Offboarding

Employees should only have access to the devices, networks and resources they need to do their jobs. As such, organizations adopting the zero trust model will be ahead of the game to prevent breaches that result from poor offboarding. With zero trust, all users, devices, applications and processes are limited to the minimum privileges necessary to operate effectively and meet an organization’s digital defense needs.

If your organization has a solid grasp on which users have what access, knows which endpoints are active and secure, and doesn’t have to worry about users with too much access, offboarding a remote employee is simplified. Then you’ll know you’ve covered all your bases, even when it comes to remote personnel who don’t work for you anymore.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today