The Top 4 Threats Posed by Improper Offboarding (and How to Overcome Them)
July 12, 2017
7 minute read
Offboarding begins long before an employee’s last day.
Or at least it should.
However, the vast majority of companies think about offboarding when it becomes a problem, not before. But what happens if neglect becomes the only strategy?
The results are potentially devastating. A simple offboarding error can cost an entire IT team their jobs, not to mention C-level executives. Knowing the risks and taking preventative and proactive actions to protect data won’t go unnoticed, especially if the complexity and value of those measures are articulated.
Offboarding is a dirty job, but somebody has to do it. And that somebody needs to do it right.
Free Guide > 15+ Pages of Expert Advice on Employee Offboarding
Identifying and Eliminating Employee Offboarding Inefficiencies and Security Threats
#1 – Exiting Employee Steals or Inappropriately Accesses Company Data with Malicious Intent
A data breach is likely the first thought that occurs when discussing offboarding risks. After all, a departing employee is likely to leave a company on less than amicable terms.
This is called an insider threat, and it’s one of the most common causes of data breaches. For companies that want to avoid this threat, there are many preventative measures that can be taken, many of which take place prior to “offboarding” even officially begins.
Here are a few common preventative practices:
Step 1 – Prevent email forwarding and sharing files to personal accounts.
Offboarding should start begins before it really ever begins. For most employees, it’s not a big deal to take valuable information with them when they switch jobs. Sometimes it’s harmless. Employees simply forwarding personal notes or other miscellaneous emails. But other times, intellectual property is stolen. Even customer and employee personally identifiable information (PII) can slip through the cracks. Compliance can become a major concern. Policies can (and in many cases should) be in place to prevent this type of behavior.
Step 2 – Reset shared passwords.
At most companies, and in most departments, there are common passwords that are used for shared accounts. These are spread via word of mouth or made accessible in password managers. They are often simple to remember. When an employee exits, they don’t suddenly forget these commonly known passwords. IT should take it on themselves to reset these passwords during offboarding. A password manager like LastPass can make this process easier to execute, as well as add an extra layer of security by enforcing very complex passwords because no one needs to remember them in the first place.
Step 3 – Revoke access to all applications.
It should take just seconds, not minutes, hours, or days for IT to revoke access to applications as soon as an employee exits. Failure to do so is a severe concern. An ex-employee with bad intentions can wreak havoc on purpose. An ex-employee with good intentions can wreak havoc by accident. Either way, revoking access to all applications should be done in a timely (i.e. immediate) fashion. Be sure to examine which applications may retain authentication through OAuth tokens even after a user’s password is changed on the account. There are countless examples (here’s one) of users staying signed in to applications via OAuth even after their password has been changed.
Step 4 – Collect and/or wipe data from devices.
Much like revoking access to applications, immediately when an employee walks out the door, company data should be removed from mobile devices, whether they are owned by the company or the ex-employee. Without doing so, a company is vulnerable. There are a variety of mobile device management solutions on the market to help enforce a policy here, although stock solutions like G Suite’s device management controls are often enough these days, if your company is not dealing with much sensitive information in offline files. However, you still need to automate the execution of these steps in order to protect against exposure.
#2 – Compliance Violations or Breaches of Confidentiality Due to Administrative Errors
There are a number of industry regulations and compliance standards that apply to offboarding, not to mention the fact that offboarding almost universally deals with information that’s confidential to the organization or even to the individual. And IT is responsible for making all of this work.
To reduce the risk of administrative errors, compliance violations, and breaches of confidentiality during the offboarding process, companies must use technology that enables them to:
Step 1 – Employ a granular least privilege model (even outside of IT).
When it comes to compliance, IT should consider a least privilege approach, meaning anyone in the organization only has the access necessary to do their jobs and nothing more. If an IT team member or other functional role involved in offboarding (such as HR) does not need access to the contents of a user’s files, or to certain sets of sensitive information, then don’t give them the opportunity to cause harm (intentionally or by accident) by providing access to this information simply because they are involved in offboarding. Stick to least privilege vigorously. This approach will help companies avoid potential privacy and confidentiality violations, as well as eliminate many compliance concerns.
Step 2 – Prevent unnecessary exposure of sensitive information.
Sensitive information like social security numbers and banking details are all involved in the offboarding process. To prevent unnecessary distribution, regular expression DLP policies can help ensure sensitive information isn’t accidentally shared with co-workers (and even external parties). Situations like these are not only likely compliance violations, but also lawsuits waiting to happen.
Step 3 – Ensure your systems leave detailed audit logs.
If a company is about to undergo a security audit or is renewing or seeking a security certification or attestation, offboarding process execution may be scrutinized. Auditors may ask for companies to provide detailed records of the offboarding procedures. These logs should contain what actions were taken, who took them, and when they were taken. Detailed audit logs make this audit process easy, and any lack of detail is nearly impossible to remediate.
Step 4 – Retain data and create reliable backups.
In many legal cases and with many service level agreements (SLAs), companies are required to retain data for many years (some companies retain it indefinitely). Accidental deletion of accounts or improper back ups will lead to data loss and potential legal issues. This isn’t anything any admin or company wants to experience. Many services are purpose-built to prevent this from happening.
Step 5 – Wipe only corporate data off of employee-owned devices.
Mobile device management (MDM) gives IT the power to remotely wipe devices. Mistakenly, devices can be wiped of all data, both personal and corporate. This creates a serious legal situation if the proper agreements have not been signed. There are horror stories of IT admins wiping devices that contain nearly finished novels or photos of newborns. Obviously, blame is shared in these scenarios, but in the end, it’s IT that faces the most scrutiny and the company that pays up.
#3 – Unnecessarily High Expenses Due to Unused Licenses and Unknown Recurring Payments
Odds are you are paying for licenses and possibly even applications that aren’t being used. Whether due to fear of data loss or lack of time, many companies are stuck in an expensive limbo when it comes to SaaS license spend. IT can put policies in place to prevent this.
Whether it’s idle licenses, unused storage, or devices collecting dust, many of these expenses are the result of incomplete offboarding processes. Since offboarding is often a multi-phase process, the final steps can fall through the cracks.
Step 1 – Set a threshold on suspended licenses.
Depending on the application, companies may be billed for licenses sitting in a suspended state. A single SaaS application license may cost a company around $50 a year–not a big deal. But many companies never clean up suspended licenses and are simply throwing away thousands of dollars a month. Companies should keep tabs on licenses assigned to former employees. One quick way to do this is set a threshold on the number of suspended licenses you’re willing to permit in each given SaaS application (based on how they bill for these licenses).
Step 2 – Prohibit employees from using company cards for unapproved applications.
This is a surprisingly common cost that flies under the radar. It’s common across many departments and there is really no easy answer. A solid solution: Sit with the Finance team and review every SaaS license paid for through a company credit card. Then, make a decision on whether or not IT should bring unapproved apps under their control or stop paying for them. If a user goes around IT and is expensing SaaS apps on their own card, a simple solution to curb this behavior is to warn employees that SaaS apps on personal cards will no longer be reimbursed.
Step 3 – Free up and reassign suspended licenses.
In most SaaS applications, when you fully delete a user you are left with a license that can be assigned to another employee, and you may or may not be paying for that license while it’s not assigned. Be sure to use these licenses first when onboarding new employees. And some SaaS applications, like G Suite, even offer special license types for former employees. In G Suite these are called Vault Former Employee licenses (note: this particular license type is only available to former Postini customers), and reduce license costs while retaining user data.
#4 – Productivity Loss Caused by Miscommunication and Lack of Documentation
When change occurs, business activities are interrupted and productivity stalls. But the impact of change caused by offboarding can be lessened.
Step 1 – Document important processes.
While this might not fall under “data loss” or “offboarding” in the traditional sense, it is a potential threat that must be considered. Companies should seek to change the way employees operate and encourage constant documentation. This is a top-down issue that executives (as well as IT leaders) should push for.
Step 2 – Avoid ad hoc scripts and undocumented automations.
If the employee is in IT and relies heavily on custom-built scripts to automate certain tasks, those scripts will inevitably break and require maintenance. Companies should bring own their automations, meaning the ability to execute, alter, and update them should pass seamlessly from one employee to the next. If not, the employee can leave a company in a difficult position should they leave.
Step 3 – Ensure successful file ownership transfers.
File ownership is tricky when it comes to SaaS applications like Google Drive, Dropbox, and others. If important documents are transferred to the wrong person, it creates a huge headache for IT and everyone who needs to access those files.
Step 4 – Handle email with care.
One of the most common points of failure during offboarding is email. Should the ex-employee’s entire email be accessible by the employee’s manager? Or should all future emails be forwarded to a certain person? What exactly should the autoresponder say? How long should an autoresponder remain active? These questions vary greatly from employee to employee. The answer is likely a decision that can only be made through open communication.
Step 5 – Manage calendars and resources.
When an employee exits, it’s especially difficult to handle anything related to calendars and resources. While it might seem small, a booked resource that goes unused is a wasted expense and could have been used in a more productive way. On top of that, if a user is deleted, any recurring meetings or secondary calendars that user owns will be deleted as well.
Step 6 – Build orchestrated offboarding processes.
Too much time is wasted in IT doing manual, repetitive tasks. If offboarding is done manually and correctly, it will likely take a significant amount of time. Admins will have to go into each application’s admin console and deprovision a user. Automating tasks is helpful, but when they’re compiled together, something much more powerful is created.
Download our latest whitepaper to learn how experts like Ryan Donnon, IT and data manager at First Round Capital, efficiently and securely offboard employees: Identifying and Eliminating Employee Offboarding Inefficiencies and Security Threats.