When times are tough, employers must tighten their belts, which often involve cutting staff, either indefinitely or for an unconfirmed period of time. Either way, the off-boarding process must be carefully reviewed before doing so.
HR will need to work closely with the IT department to coordinate their departure and ensure that they are not putting valuable company data at risk.
Depending on how long the employee has been with the company, this might not be an easy task. The employee will have access to many different resources, and their personal data could be spread across multiple platforms and data centers.
The IT department will need to spend a sufficient amount of time establishing a comprehensive checklist, which HR can follow. Below are some of the key areas that need to be considered when developing an off-boarding checklist.
Deleting and Deactivating Authorized Accounts
Companies often fail to properly manage inactive user accounts, which means that ex-employees are still able to access company data after they have left. If the employee left on bad terms, they may choose to log back into their account for malicious reasons – perhaps to steal data for financial gain.
Even if the employee didn’t leave on bad terms, they may still try to access their account out of curiosity, boredom, or perhaps for a prank. For example, they may decide to login to the company’s Twitter account, and fire-off a “funny” tweet. They may decide to tamper with security settings, thus making it easier for hackers to infiltrate the system.
Alternatively, the ex-employee’s device could get lost, stolen or damaged, and taken to a repair shop. Either way, if a company fails to promptly manage inactive user accounts, there’s a chance that someone could gain unauthorized access to company data.
In an ideal world, each employee would have just one set of credentials, which they will use to access all systems and data. However, many companies may still be using outdated legacy systems, alongside their new systems.
In which case, HR will need to know exactly what systems the employee had access to, which will involve communicating with all relevant departments – the most important being IT. They will need to remove all email and social media accounts associated with the employee. However, give the employee an opportunity to setup auto responders and tie up any loose ends before doing so.
Of course, managing inactive user accounts can be done manually, however, it should be noted that there are number of proprietary real-time auditing solutions available that are able to detect and mange inactive user account automatically.
Naturally, if you find yourself in a position where you have to cut staff, then any solution that can automate the off-boarding process, or any other process for that matter, should be considered.
Removing Personal Data
Any information relating to the fired of furloughed employee that is no longer needed should be carefully removed from the system. Before doing so, make sure that you understand your legal responsibilities. For example, companies may be required to retain certain information about the employee, such as for tax reasons.
Make sure that you understand which data privacy laws apply to your organization, and the rules that stipulate what data can be stored, and the recommended protocols for removing it.
Changing Shared Passwords
Although not recommended, it’s not uncommon for users to share the same credentials. As mentioned above, sometimes users have shared access to social media accounts, such as LinkedIn or Twitter. They may also share access to privileged email accounts, perhaps to deal customer complaints and enquires.
Naturally, an employee who has been furloughed or dismissed should be prevented from accessing these accounts after they have left. However, the obvious problem with shared accounts is that it is impossible to block a single user from accessing the account, without changing the account password. In which case, you must ensure that you inform all relevant employees about the password change and give them a specific date and time when the change will occur.
Naturally, you will need to ensure that all other user accounts associated with the dismissed employee have been terminated first, to ensure that they don’t get access to the new password. It might be a good idea to ensure that all shared passwords have an expiry date.
There solutions available that can automate the process of reminding administrators to reset the password for the shared account.
Recovering Company Devices
Companies often issue mobile devices and laptops to their staff. And these devices (we assume) will have been checked by the IT department to ensure that they meet the company’s security requirements. When an employee leaves the company, not only will you need to ensure that you recover these devices, but you will need to carry out additional security checks.
This might include scanning for malware, vulnerable applications, or anything else that could indicate that the device has been compromised in some way. Many of these devices will have access to the company’s applications and servers, even if the individual in possession of the device doesn’t have access to any credentials.
Before recovering the device, give the employee an opportunity to clean-up after themselves, which includes backing up and removing any data on the device that belongs to them. Alternatively, offer to help them out by extracting their data from the device, and sending it to them via email, or saving it onto a portable drive.
Erasing all Company Data from Personal Devices
These days, increasingly more companies have introduced a Bring Your Own Device (BYOD) policy, which, as the acronym would suggest, allows employees to use their own device in the workplace. However, given the significant security risks that come with BYOD, many companies carry out security checks on these devices before they can be used to access the company network.
This is great, but what happens when an employee leaves your organization? Ideally, the soon-to-be-ex-employee will allow you to carry out another security check on their device to ensure that all company data, and applications that have access to company data, are safely removed.
Of course, the fired or furloughed employee might not be willing to co-operate, especially if they are feeling disgruntled about the terms of their dismissal. In which case, you may need to resort to asking them to sign some kind of legal contract, before they are allowed to use their device to access company data.
Businesses must strike a balance between ensuring that their data is secure and being amiable and responsive to the concerns of the employee. At the end of the day, you need their co-operation. Treating them like they are criminals, when they’ve done nothing wrong, could potentially backfire. Communicate with employees as much as possible.
Talk to them about the importance of data security and reassure them that the seemingly draconian protocols which you are asking them to comply with, are necessary, and not personal.