The onset of the pandemic, the Great Resignation, and the rise of remote and hybrid work have all contributed to more employee turnover. This upheaval in the labor market has strained HR and IT departments, leading to increased security risks for organizations when employees leave.
Let’s take a closer look at the security risks involved with ineffective offboarding.
What can happen to data security when an organization has ineffective offboarding?
When an employee is fired, laid off, retires, or quits, an organization needs to ensure that its offboarding protocol includes severing the employee’s access to its IT system. Access should be quickly and wholly revoked to ensure data security.
The data security risks of ineffective offboarding include:
- Data loss: Former employees who retain access to critical business data can intentionally or unintentionally delete or damage it, either immediately or at a later date. Some disgruntled former employees have even shut down servers and caused other damage to their former employers’ IT systems.
- Loss of confidentiality: A former employee who retains access to an organization’s confidential information — such as contracts, business agreements, and proprietary knowledge — can take this information to their new employer or sell it to a competitor.
- Compliance violations: An organization could face major compliance violations if a former employee who retains access to sensitive data destroys or leaks it. For example, allowing protected health information to be compromised by a former employee could lead to fines and lawsuits for HIPAA violations.
What harms can ineffective employee offboarding cause?
Failing to offboard employees properly can be costly to organizations.
Here are the top three types of costs that result when former employees breach data security:
- Stolen data: Former employees taking and using data is perhaps the most common risk of ineffective data security offboarding. In many cases, a former employee uses the data in their current job, and their new employer may be a competitor. Compromised passwords are another security risk when employee accounts are not canceled when an employee leaves. Hackers may be able to gain access to an organization’s IT system through unused accounts, making it easier to perpetrate phishing, man-in-the-middle, and ransomware attacks.
- Higher incurred costs: If an organization doesn’t properly offboard employees, it may continue paying licensing fees for unused software tools, such as Office, G Suite, or SaaS applications. Former employees may also log into the IT system to use these licensed tools.
- Reputational harm: An organization may also suffer costs as a result of reputation harm when a former employee causes a data breach. Loss of business reputation can lead customers or clients to lose trust and move their business to a competitor.
What aspects of offboarding should be a priority to help prevent security risks?
Organizations can be proactive about data security and confidentiality during the onboarding process and employment by clearly mandating — in either an employment contract or an employee manual — how employees should handle data and confidential information during and after employment.
To ensure that their offboarding protocol includes measures to prevent security risks, organizations should include these steps in their offboarding checklist:
- Secure property: Collecting laptops, desktop computers, keycards, phones, and all other electronic devices owned by the organization will help ensure that a former employee does not intentionally or accidentally create a data breach.
- Revoke access: Canceling a departed employee’s access to an organization’s online or offline systems, including internal platforms, SaaS and cloud platforms, applications, email, databases, Salesforce and other CRM systems, productivity tools like Slack or Teams, and social media accounts. A recent survey suggests that nearly half of U.S. workers are still using their former employers’ passwords even after leaving the company. More than half of the survey respondents reported accessing their previous employer’s system, primarily to access information, use tools or subscriptions, or connect with former clients or customers.
If the employment separation is cordial, however, organizations commonly give an employee a short grace period to allow them to remove personal emails and files.
- Reset Passwords: Passwords shared between groups or for SaaS and other cloud-based services should be reset as quickly as possible.
Keeping data secure
Adding data security best practices to your offboarding process with help your organization end employment relationships smoothly, regardless of the circumstances of departure, while also safeguarding data, maintaining the confidentiality of critical business information, and avoiding reputational harm.
For additional insights on strengthening your organization’s data security, contact us today for a free data security assessment.
Register for our IT/Network newsletter today!