If your business operates in 2021, more than likely at least some aspects of your day-to-day operations happens in cyberspace. This makes business easier to function, especially over long distances and within separate bases of operation. But it also poses challenges, particularly when multiple employees have access to sensitive data.
One of these challenges, surprisingly, is sometimes treated as an afterthought—What happens when an employee who has access to sensitive information leaves the company? When an employee leaves a company, whether voluntarily or involuntarily, a process occurs (or needs to occur) to remove that employee’s access to sensitive information, as well as remove that employee’s “digital profile.” In business terms, this process is called “offboarding employees,” and in a digital age, there are right ways and very wrong ways to do it.
Why is Proper Offboarding Important?
Here’s why this is so important:
- Studies show that more than 60% of cyber attacks happen from within the company. In other words, employees who had access to sensitive information used that access to in some way sabotage the employer.
- Studies also show that when employees leave a company, even on good terms, chances are the employee left a device, app, or licensed software open. Since the employee never signed off, this open-ended function leaves the door open for hackers to make their way into the company’s private and sensitive databases.
What Are Some of The Best Practices For Offboarding Employees?
Many business professionals, particularly those who work in IT and/or loss prevention, would tell you that the best way to mitigate potential data breaches is to keep all of the company’s data in a centralized cloud-based location.
In addition to cloud storage, companies should also automate processes that remove employee access to sensitive data, as well as digital profiles (email accounts, etc). This is perhaps one of the more effective ways to offboard employees.
What If The Database Is Not Centralized in the Cloud?
In these cases, specific steps need to be taken:
- Once a decision is made that an employee will be ending employment, IT should be notified and the process of removing access should begin immediately.
- As an employee moves closer to the departure date, access to any information that is non-essential to the employee’s remaining tasks should be removed (passwords are changed, keycards are disabled, licensed software permissions removed).
- Employee activity should be monitored closely. This is mainly to see if data transfers are taking place where information is being moved to private accounts. This type of transfer can be an early indicator that the employee may be planning something nefarious against the employer.
- Any mobile devices in the employee’s possession must be returned. This is an especially difficult challenge. If the employee is in possession of devices that can be removed from the company premises, it’s more difficult to track what the employee is doing with these devices. Information can sometimes be transferred without the company’s knowledge. The same is true for personal devices that were never approved by the IT department.
- Make sure that, by the time the employee walks out the door for the last time, all of the access and digital profiles have been revoked and removed.
Ideally, cloud-based storage platforms make offboarding employees the least complicated because information can be controlled (and in cases removed from personal devices), with the least difficulty. However, if your company is not operating in a central location, the main takeaway is that the offboarding process needs to be thorough, ongoing, and needs to take place immediately.