Your IT Checklist for a Secure Employee Offboarding
In my previous post, I discussed the importance of having a clear onboarding process for new hires and IT’s critical role in that. Today, I’ll provide employee offboarding strategies, so former employees don’t end up with the power to steal or leak your confidential business data.
How to Offboard Employees
Many organizations lack a straightforward and effective employee offboarding process. This is concerning because separating from employees can be potentially messy and extremely damaging if you don’t have a clear process for maintaining control of all the access points and devices you have allowed them to use – especially in the case of an ugly termination.
Part of effective offboarding is done in the onboarding process. If your organization has created clear processes and documentation surrounding access and assets provided, it will be easier to retrace your steps and revoke those privileges and retrieve any devices when the time comes to do so. If you don’t have a solid employee offboarding process in place, here are a few core ideas to keep in mind when creating or revamping a policy:
- Adopt a Zero Trust Policy – As an overall company policy, you should make clear that, top-to-bottom, employee access is restricted to the minimum privileges needed to do their job effectively. This will give you a leg up in preventing breaches in case of any oversight during offboarding. Once the offboarding process begins, regardless of the circumstances surrounding their exit, every employee should be treated the same. The rules and processes you implement should be strictly followed, and developed with the mindset that any former employee, whether well-liked or leaving on uneasy terms, could attempt to circumvent these processes and cause potential harm to your company.
- Conduct Exit Interviews – While this may seem more of the domain of HR, it’s important that your exit interviews at least briefly touch on technology. Use the opportunity to review your company’s data protection policies and remind the departing employee about any confidentiality agreements they may have signed as well as the potential penalties for data theft. Reinforcing your strong stances on these subjects will help you minimize potential trouble.
- Communicate Across Departments – Just like employee onboarding, all departments must interact in a coordinated fashion to prevent any data loss. Prior to employee offboarding make sure all departments have been notified and are on the same page. HR shouldn’t move forward with notifying the employee or conducting exit interviews before IT is ready to revoke access or take control of user accounts and vice versa. In the case of a disgruntled employee, even a few minutes of discoordination can allow them to cause irreparable damage.
- Monitor for Suspicious Activity – In keeping with the zero trust policy, leading up to the employee’s departure and after they have moved on, IT should periodically monitor accounts, activity, logins, and file transfers to ensure nothing dubious has taken place.
Employee Offboarding Checklist
Creating a checklist for the offboarding process is highly recommended. An offboarding checklist details all of the tasks that should be completed, so you don’t miss anything. It also serves as a useful visual reference so everyone can quickly see where they are in the process. Below is an employee offboarding template you can use to build your own:
Revoke access to any digital assets you have given the employee.
Actions could include:
- Disable internal user accounts
- Change any passwords given to the employee
- Disable company email accounts and redirect future emails
- Disable internal messaging accounts (Slack, Zoom, Microsoft Teams)
- Disable any cloud accounts
- Revoke any software credentials
- Terminate VPN and any remote-desktop access
- Close any corporate credit cards or expense accounts
- Disable any phone or voicemail accounts
- Change any door codes or PIN numbers that allow physical access
Collect all physical assets you have distributed to the employee.
Physical assets could include:
- Mobile Devices
- External Hard Drives
- Mobile Devices
- Keys or ID Cards
- Security Tokens
Transfer Knowledge and Notify Relevant Contacts
Consider all the people who may be impacted by the employee leaving. Make sure knowledge isn’t lost and professional contacts know who to reach out to once they have departed.
Possible actions include:
- Have the employee transfer any critical knowledge to their replacement.
- Perform a backup of the employee’s hard drive.
- Notify any vendors or clients the employee worked with regularly.
- Provide a new point of contact for any vendors or clients.
Developing an employee offboarding process can seem complex, but it is ultimately paramount to your ability to protect your data and create a secure work environment. If you want more details about how to create a process specific to your business, don’t hesitate to contact me at firstname.lastname@example.org.