Employee turnover is a part of business. Workers come and go for various reasons – retirement, new job opportunities elsewhere, family changes, layoff or termination for cause. Thoughtful and systematic management of the offboarding process will help minimize the risks and costs associated with letting these employees go.
According to Osterman Research1, 89% of departed employees retained access to corporate applications and 49% logged in to an account after leaving the company. This is a big problem! Ideally, we would like to trust everybody to do the right thing after leaving, but there is a risk of theft of confidential information, including customers and financial resources, if ex-employees continue to have access to the company’s network. Such data breaches may cause further complications with legal discovery and regulatory compliance as well.
Continuity of operations is another concern. Phones and email are used to conduct business and communicate with customers and suppliers. Managing the handoff of responsibilities and decommissioning access to phones and email accounts prevent business issues from falling through the cracks.
Offboarding is part of a company’s broader IT security and HR management policies. Best practices include the following:
—Establish a security and compliance group within the company. This group should monitor two key areas: 1) who has access to which IT services and 2) how information is being accessed and shared.
—Put in place a clear set of company IT policies. This includes policies on application usage, a list of approved sites and services and a list of approved software and applications that employees can use.
—Provide role-based access to applications. Maintain an approval process for all services, applications, and equipment that employees need. Keep records in a centralized database, so you know what each employee was given.
—Create a central repository for administrative logins and passwords. Don’t give users administrative rights to their laptops.
—Eliminate shared logins/accounts. Assign each account to one person whenever possible.
—Conduct regular audits of user accounts (LDAP, Active Directory®, and all applications). Track all of the applications being used, so you know who “owns” them and what access and control IT has.
—Set up accounts in a central location, such as Active Directory in Windows® environments, and make sure all cloud applications are SAML authenticated. This makes it easier to manage and de-provision employee accounts.
—Use unique identifiers when creating new employee accounts. This way, if a user has different name listings (e.g. J. Smith, Joe S., etc.), it’s easier to find all of the applications with which he or she is associated.
When someone leaves, make sure IT conducts their own exit interview and performs appropriate offboarding tasks, including collecting all company assets (laptops, phones, ID badges, etc.). IT should also:
—Maintain distribution list for terminations. Similar to a new hire distribution list, create a list that informs key departments (Finance, HR, Facilities, Legal, etc.) when an employee is leaving. Someone also should be responsible for informing appropriate external stakeholders (e.g. customers and suppliers) of the employee’s departure and designated replacement.
—Disable logins to all employee accounts. It is critical to terminate every employee account to every service, both on-premises and in the cloud. If a single sign-on solution is issued, review applications saved in the employee’s portal to discover if any applications have been used without IT’s knowledge. If a mobile device management solution is used, remote wipe company applications on the employee’s mobile device.
—Direct the email and phone accounts of a departing employee to his/her manager. This can be done by forwarding or giving the manager login access. Wait a set amount of time (e.g. 30 days) and then archive and delete the accounts.
—Check if the employee is the primary contact for an online account or project and make sure that contact gets re-assigned.
1. Osterman Research, "Do Ex-Employees Still Have Access to Your Company Data?", 2014
Active Directory and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.