Ask the Expert: 4 Steps in IT Offboarding to Protect Data & Minimize Risk
When employees are laid off or let go, the conversation of technology offboarding can be an uncomfortable one.
However, cybersecurity and data protection must be a priority. This can alleviate the worry of losing data or suffering reputational damage and handling it properly can ensure a smooth transition. Here are some IT onboarding and offboarding best practices to protect your business from insider threats.
Your Employee IT Offboarding Process Checklist
When you're offboarding employees, the digital age has made the process more complicated than sending out final paychecks and packing up their desks.
A good employee offboarding checklist for IT starts with creating an email policy, removing access to sensitive data, retrieving company-owned assets, and backing up data.
1. Create a policy for email account deactivation
Many employees use their emails to send information back and forth regarding projects and sensitive client data. If they still have access to this information after being let go or putting in their notice, this can create a cybersecurity risk depending on the temperature of their departure.
It’s an unfortunate reality that disgruntled employees could use this information to steal clients in the future when they work somewhere else, or use data in other nefarious ways. They also pose the risk of causing damage to morale by badmouthing the company to other employees over email.
The solution to this is to create a strong policy on email deactivation. As an employer, you should have access to their conversations with customers up to that point. This includes instances where they were involved in transactions or conducting business on your behalf.
Retaining data while securing the account is essential for both cybersecurity and continuity, so new hires can pick up where the last person left off with their projects. It’s a good idea to retain email data and other employee records for one year or more after an employee leaves your company, so you can retrieve any crucial information for your records.
2. Removing Access for Terminated Employees
Identifying what permissions or access you will need to revoke after an employee leaves starts with understanding what tools and assets they use to complete their jobs. You can gain this understanding right when you hire a new employee. Working with your HR teams in each onboarding is a great opportunity to determine a list of tools they will access in their role.
This will determine if they have any passwords to company accounts, social media profiles, etc. You can use this information to ensure no accounts fall through the cracks during the offboarding process.
3. Immediately recover company-owned assets
The process of retrieving business-owned assets such as laptops, hard drives, company cell phones, and other devices can get tricky with fully remote employees. IN some cases, your staff might work in different states or even countries, complicating this task.
For remote employees, it’s relatively easy to shut down their accounts and lock them out of your network. However, even though you can remotely lock them out, you’ll want to be proactive about sending a prepaid mailing stamp to them so you can retrieve the assets ASAP.
This can help prevent them from damaging any company property before it’s returned.
Security Risks for BYOD vs Corporate Devices
You may think to yourself that allowing employees to use their own devices to do business operations (BYOD) makes offboarding simpler. However, this can have grave consequences due to the inconsistent cybersecurity features of outside devices.
Experts warn that it only takes one vulnerability or infected piece of technology to allow hackers to access your network.
To learn more about BYOD and why it's likely in your best interest to avoid it, read our article: Bring Your Own Device (BYOD) Policies: Benefits and Risks
4. Back up data as necessary
Just like with regular cybersecurity, it’s important to have backups so data is not lost if it falls into the wrong hands. Ransomware attackers exploit businesses that can’t afford to lose sensitive information or have it leaked. The same principle applies to the ways disgruntled employees might handle sensitive information if they know it can damage your organization.
To protect your data from permanent deletion, the most effective method is to back up data regularly. This will give you some leverage if ex-employees try to destroy data before you have the chance to remove access.
How Can Organizations Protect Against Insider Threats?
Hopefully, this will give you a solid start on creating a smooth and positive offboarding experience for departing employees whenever possible. However, if you're looking to revamp your IT and cybersecurity strategy, IT support for businesses is an excellent resource.
Managed IT services for businesses allow them to get expert advice and comprehensive evaluations to determine critical vulnerabilities and solutions. If you're ready to jump into securing your business, click the button below to speak to a cybersecurity expert.
About Lindsay Usherwood, General Counsel
Lindsay Usherwood serves as Usherwood Office Technology’s General Counsel and Corporate Secretary. After graduating from law school, Lindsay dove into the family business in 2018. She developed a passion for using her legal experience to help with managed IT operations to build on and maintain customized, secure, and legally compliant IT solutions. She has 8 years of experience in law, a BS in Business Administration and a J.D. Law Degree from Syracuse University.