Guide

Employee offboarding and data security - How to mitigate risk

Laptop with files and security emblem

Incorporating data security into your employee offboarding process

As any human resources (HR) manager knows all too well, employees come and employees go—sometimes on a steady basis. When staffers leave, regardless of the circumstances, companies need to make sure they don’t also walk out with credentials that allow them to continue to access valuable data such as customer information, trade secrets, product specifications, and other intellectual property.

Businesses might frequently find themselves in circumstances where someone in a data-intensive position, or who has access to sensitive company information, decides to move on to another company. What many don’t realize, though, is that there are clear security risks when this happens.

Imagine if someone with access to customer records or the details of a new product in development leaves to work for a competitor, but they still have access to all of their original company’s data. For a small company looking to break into a market or expand its presence, that can be a major problem.

This is why it’s a good idea to create a strategy and documented procedures for offboarding departing employees. This helps to protect company data from unauthorized access or potential theft.

It’s inevitable that an employee who has access to sensitive company data will eventually decide to move to another job. What many businesses don’t realize is there are clear security risks when this happens.

Any offboarding process should include several key practices. But before getting into these, it’s important to note that the effort to protect data actually begins well before an employee even thinks about leaving—and it’s about setting boundaries. The employee handbook or manual, or other documentation signed by the employee should clearly state terms of use, and access to, company systems and data.

These policies should take into account input from company leadership across the organization. Each area of the company will have specific tools and data sets that should be accounted for in the policies with IT and HR teams working closely together to ensure all access is turned off when an employee leaves.

Offboarding Security Best Practices

As soon as an employee is ready to leave, usually on their last day, a key step is to retain or restore the departing employee’s files. This can be achieved by using an application installed on the employee’s device to download the individual’s files, and typically involves a few straightforward steps.

Once the restoration is complete, it’s time to deactivate the user, which means signing the user out of all devices and online sessions and removing access to all company networks including cloud-based services. The ex-employee will no longer be able to access company data resources or applications. Passwords should be changed on any shared accounts.

Collect any company-issued devices including desktops, laptops, smartphones, tablets, and external hard drives, USB sticks, and access badges. Never assume that employees will remember to turn in these devices on their own.

It’s inevitable that employees will leave companies. By taking these steps, companies can help to protect their valuable data from unauthorized access or theft.

A Checklist for Employee Offboarding

One of your employees is leaving the company? Here’s a checklist of steps to take to ensure that data is protected.

  1. When an employee leaves the company, retain or restore the departing employee’s files. This can be done by using an application installed on the employee’s device to download files.
  2. After the restoration is complete deactivate the user in all applications that they had access to. Sign the user out of all devices and online sessions.
  3. Remove the user’s access to all company networks including any cloud-based services.
  4. Change passwords on any shared accounts.
  5. Update the employee’s email and phone accounts.
  6. Collect all company-issued devices such as desktop and laptop computers, smartphones, tablets, and external hard drives, USB sticks, and access badges.

Interested in additional reading?

Check out our resources page for more articles on cybersecurity, ransomware, phishing and more!