Whether you are facing an organization-wide downsizing or just dealing with routine turnover, making sure that your company data is protected when employees terminate employment is a key part of IT infrastructure management and cybersecurity.
In this article, we'll outline a 4-step process designed to help ensure that your IT team is doing all it can to protect your organization and sensitive data during employee transitions.
Before we get started, let me reassure you that although Kelser provides comprehensive managed IT support services, the intent of this article is not to convince you to work with us. We know that might sound strange, but the truth is that we know managed IT isn’t the right solution for every organization.
Instead of trying to tell you how great we are, we spend our time focusing on providing the technology information you need to help you make the right IT choices for your organization.
We know everyone is not an IT expert. So, we write relevant articles like this that provide easy-to-understand information you can use.
Why Is It Important To Restrict Access To Data & Systems When Employees Leave?
Access to data and IT systems is a privilege reserved for your employees. That's why many companies establish role-based access to ensure that employees have access to only the information they need to do their jobs, but not complete access to everything.
Related Article: 8 Hidden Cyber Risks That Might Be Lurking Within Your IT Environment
When people stop working for your organization, (no matter the circumstance surrounding their departure,) it’s important to restrict access to company and customer information.
While most people leave jobs on good terms, it only takes one person with bad intentions to cause serious damage.
Although a rare occurrence, there have been instances in which terminated employees have used their former employer’s network or a company email address to spread misinformation among customers, suppliers, or on public forums to ruin brand reputation and cause irreparable damage to business relationships.
Or, a single disgruntled employee who has access to your manufacturing equipment could shut down production operations or intentionally damage your systems and devices. Former employees could also delete key data, taking your business offline and causing your business to grind to a halt.
Other potential concerns are access to customer contact lists (which could result in customer poaching) as well as the theft of confidential company or customer information—including business plans, credit card and bank information, or other sensitive personal information.
Related Article: Why Are Businesses Moving To Zero Trust? Your Roadmap To A ZT Strategy
What Are Key IT Actions To Take When Employees Leave?
So, what are the key IT actions your team needs to take when an employee leaves your organization? Here are four we’ve found to be vital to ensure the security of data and systems:
1. Communicate
At Kelser, one of the first things we do when someone leaves our company is notify other employees, particularly our IT team. This one simple step ensures that everyone knows the person should no longer have access electronically or in-person.
2. Recover Devices
This may go without saying, but it’s important to recover devices as soon as possible to minimize opportunities for soon-to-be former employees to transfer sensitive information to personal devices.
In small companies, there is a tendency to give people the benefit of the doubt and assume that they eventually will turn in company-provided devices.
This is where small companies can take a lesson from larger organizations that require employees to turn in devices immediately upon terminating the working relationship.
All companies should have a procedure for collecting IT devices upon termination. While phones and laptops may spring immediately to mind, don’t forget about tokens for multi-factor authentication, badges, and any other company devices.
Related article: 6 Steps To Implement MFA With Security Keys To Secure Your Business
With the proliferation of remote work, it’s more important than ever to have a current and comprehensive list of equipment and who it has been allocated to, so that you can be sure to recover every piece of company-owned technology.
3. Disable Access & Change Passwords
This is one step, but it has many parts. You’ll need to disable:
-
-
Email
-
You don’t want a terminated employee to continue to communicate with employees, suppliers, or customers from a legitimate company email account.
You may also want to forward incoming email messages sent to the ex-employee to someone else in the organization to ensure that customer emails still receive attention.
-
-
Phones
-
If you use a Voice over Internet Protocol (VoIP) phone system, it will likely fall to the IT staff to remove the user from the phone system.
Make sure that the phone line hasn’t been forwarded to an unauthorized external number and consider forwarding the existing phone line to another team member so that calls don’t go unanswered.
Don’t forget to disable voicemail and external access to it.
-
-
Virtual Private Networks (VPNs)
-
Remote access is a security concern. Make sure to lock down access to VPNs.
Related Article: Ransomware Target: How Secure Is Your Virtual Private Network (VPN)?
-
-
Fobs, Badges, Keypads & Tokens
-
Fobs, badges, keypads, and tokens make it possible to access physical locations, systems, or devices. Make sure to collect them or change the passwords as an added security measure to protect your facilities, data, and systems.
-
-
Networks, Servers & Portals
-
Make sure to remove permissions for terminated employees from networks, servers and portals.
-
-
Software/Applications
-
Tools like customer relationship management (CRM) software and file sharing applications (among others) contain valuable information. Make sure to protect your data by revoking permissions for terminating employees or changing passwords when employees leave your organization.
4. Monitor Systems & Devices
If you aren’t already, make sure to perform real-time monitoring so that you can spot unusual and unauthorized activity and act quickly to minimize the impact.
The specific list of actions you need to take will be dictated by the tools you use.
Think about how employees access your infrastructure, how they communicate with co-workers, suppliers and customers, and keep in mind that some employees may have multiple devices and usernames.
Related Article: How Do I Know If My Company’s Cybersecurity Measures Are Enough?
The Bottom Line With Protecting IT When Employees Leave Your Organization
After reading this article, you understand four key IT actions that can help protect data when people within your organization terminate their employment: communication of terminations, recovering devices, disabling access and changing passwords, and performing ongoing monitoring.
You understand why these actions are important and the potential implications of not taking action.
The next step, if you don't already have one in place, is to develop an IT-specific employee offboarding process.
Your employee offboarding or exiting procedure should include a pre-set checklist to allow you to easily track the company-provided devices, software, files, passwords, and other IT property owned by your company.
That way, when employees leave your organization you know exactly what items you'll need to collect, and what access and permissions you'll need to disable.
Your offboarding process should also include a Data Retention & Destruction policy to ensure that certain critical information is properly archived or disposed of, in keeping with applicable laws, regulations, and industry best practices.
Your internal team may be able to develop these procedural stepping stones or you may need help from an external managed IT services provider (MSP). Either way, it's imperative that you develop and implement a formal procedure to follow to keep your data safe when employees leave your company.
If you find yourself considering external IT support, I encourage you to explore several providers so that you find one that is the right fit for your organization. The truth is there are a lot of options out there, and only you can decide which provider is right for you.
Wondering how to select a provider? We know it can feel overwhelming. Learn Why Are More Small And Medium-Sized Businesses Using Managed IT?
Get a no-obligation managed IT support services checklist to help you determine if you have the internal support necessary to align your current IT needs with your long-term goals and see whether managed IT might be a good solution.
Or, if you are tired of scrolling through websites and just want to talk to someone, click the button below and one of our qualified IT solutions experts will reach out to schedule a call to find out more about your organization, your goals, and your technology pain points.
