Coca-Cola had a serious insider breach in 2018 when a former employee was found to have PII on some 8,000 employees. Today’s columnist, Neel Lukka of CurrentWare, offers eight security tips for offboarding employees when they leave the company. hectorir CreativeCommons Credit: CC BY 2.0

Gaps in the employee offboarding process present significant data security risks. A shocking 52 percent of the 400 IT professionals surveyed by Ivanti know people who still have access to a former employer’s applications and data. Organizations simply cannot afford to overlook this security threat.

Employees have intimate access to confidential information and insider knowledge of corporate systems. The employee offboarding process presents significant data security risks, particularly in the case of an involuntary termination.

Organizations must have a strategy for mitigating the risks of insider data theft. The strategy should include a well-documented employee offboarding process to ensure that non-public data remains in the possession of the company.

The danger also doesn’t end once the employee leaves the premises. Gaps in the employee offboarding process can leave a disgruntled ex-employee with ongoing access to company resources. In fact, an Osterman Research study found that 89 percent of employees could still access sensitive corporate applications well after their departure.

While the 2019 Verizon Data Breach Investigations Report found that 71 percent of data breaches are financially motivated, there are other motives, such as employees looking for an advantage against other applicants with a prospective employer. 40 percent of employees that have stolen corporate information admitted that they intend to use it in their new jobs. Here are some tips on how to protect data during a termination:

  • Follow an employee offboarding process.

Develop a detailed employee offboarding process. Following an employee offboarding checklist ensures that each step of the process gets accounted for and that the parties involved in the transition are aware of their responsibilities.

  • Adhere to strict IT asset management and deprovisioning.

Maintain an up-to-date inventory of all assets including ID cards, portable storage devices, laptops, computers, software licenses, accounts, and keys. Ensure that all items are returned following the employee’s departure and that their accounts are deprovisioned. With the rapid proliferation of SaaS accounts it’s more important than ever to have documentation regarding what software and services each employee can access. Incorporating these assets into identity management systems and single sign-on tools can help ensure that the company runs an automated deprovisioning process, thus reducing the chance that  accounts are overlooked because of human error.

  • Monitor how employees interact with data.

Without systems in place to monitor how employees interact with data, breaches can happen when an employee makes a quick visit to a personal cloud storage site or a discrete file transfer to a USB flash drive. Pay careful attention around the 90-day period before an employee’s resignation announcement; it has been found that 70 percent of IP theft occurs around this time.

Here’s what to monitor: Email attachments, web browsing activity, USB file transfers, access logs for servers, printer logs, and bandwidth usage.

  • Block data egress points.

Prevent employees from accessing data egress, points such as cloud storage sites, FTP servers, external storage devices, and email accounts. If the employee legitimately requires access to these assets during their final days it’s critical that stringent monitoring processes are in place. Wherever possible, put DLP in place to alert IT administrators of potential high-risk activities. This ensures that data theft attempts are detected and investigated in a timely manner.

  • Avoid shared passwords.

Letting employees share accounts complicates the deprovisioning process and reduces the utility of user activity data. If evidence of an anomalous file transfer or other high-risk activity becomes present on a shared account there’s little security pros can do to verify who was responsible.

  • Perform an exit interview.

Exit interviews are perfect opportunities for HR to collect feedback on the employee’s experience and find opportunities to improve retention and engagement in the future. From a security perspective the exit interview can point to warning signs that a departing employee feels disgruntled.

  • Notify relevant parties.

The IT department should be notified of the impending resignation or termination so they can start their offboarding process. Doing this will ensure that as the employee leaves the premises, they also leave the corporate network.

Notify any clients or vendors the employee worked with as well. This will prevent the ex-employee from abusing their position of trust to damage the company’s reputation or commit fraudulent acts.

Gaps in the employee offboarding process can lead to incidents of data theft by ex-employees. It’s crucial to develop a detailed offboarding process with automated deprovisioning, an up-to-date IT asset inventory, and monitoring of employee computer activity to keep data safe after a termination or resignation.

Neel Lukka, managing director, CurrentWare