Best Practices for Secure Offboarding

Securing Offboarding: Best Practices for Data Protection

Decades ago, most workers aspired to stay with a single company for their entire careers. In today’s world, that’s the exception rather than the norm. The average salaried employee’s tenure with an organization was 4.6 years in 2018—the last time the U.S. Bureau of Labor Statistics updated its statistics.

Whether your company faces the prospect of downsizing in order to better weather tough economic times or is finding that employees occasionally leave in order to broaden their skill sets or seek increased compensation, it’s critical to keep cybersecurity in mind during the offboarding process. You want to ensure that departing workers aren’t able to take valuable data or intellectual property with them on their way out the door.

Every organization needs formal offboarding procedures to protect its data and technology assets. This is also important for maintaining regulatory compliance and adhering to contractual requirements. Many times, the devil is in the details: both technical controls and administrative processes are required, and governance should emphasize standardization, consistency, and control.

Have a solid handle on your assets.

Regardless of your business’s size or industry, your employees almost certainly interact with company data on a daily basis. A key element in the offboarding process is making sure they’ll no longer be able to access this data once they’ve left the company. This involves collecting or cleaning all company-owned devices (such as laptops) where data may be stored, of course. But it also encompasses logical access controls.

When it comes to identity and access management, maintaining visibility and reliable records are crucial. To be able to deprovision access reliably and securely, you need to know which employees have access to resources at any given time. Privilege discovery tools can enhance end-to-end visibility, as can monitoring of the network.

Such solutions can also help you adhere to the principle of least privilege, which states that every employee should be able to access only those assets that they absolutely need in order to get their jobs done. This is a key tenet of information security that can enhance your organization’s security overall but adhering to it is especially important if you’re conducting layoffs.

Step up management and monitoring during transition periods.

If an employee is angry or resentful about their termination, they may be more likely to engage in malicious behavior. Or, if someone has invested a great deal of time and effort in developing intellectual property, they may feel that it belongs to them instead of the company.

Maintaining awareness of individual employees’ motivations and potential grievances may make it easier to keep an eye on those that warrant extra attention.

Implementing a data loss prevention (DLP) solution can be a wise step for organizations that possess large volumes of critical intellectual property. This technology can alert on or automatically block the transfer of sensitive files. How much sophistication you need in a DLP solution depends on how vital intellectual property is to your business’s survival.

Organizations with less complex data protection needs can simply set policies in Active Directory to prevent files from being copied during employees’ transition periods. It’s also possible to use methods similar to a legal hold to prevent data from being deleted or downloaded while someone is waiting out their two-week notice.

Keep an eye on third parties, including vendors, suppliers and Software-as-a-Service (SaaS) providers.

Be sure that you have standardized, centralized processes in place for managing access to third-party applications that employees are using for work-related activities. It’s especially important to maintain visibility into those applications that are outside the organization’s standard login and user authorization systems.

This can include so-called “shadow IT”—cloud apps that employees turn to without the approval or oversight of your IT team. Requiring employees to adhere to a formal review and approval process before procuring new software can help.

You should also keep close tabs on departing employees’ relationships with third parties including vendors, suppliers, and customers. Be sure that the right people are informed whenever one of their contacts leaves the company.

Today’s computing environments encompass a wide array of devices—from traditional workstations to mobile devices—and an equally diverse assortment of third-party and cloud-hosted software solutions. To manage the risks that come with job changes, it’s essential to focus on identity and access management. Strong governance can go a long way towards keeping your data and intellectual property safe.

Want to learn more about taking a holistic approach to risk management, compliance and IT strategy? Check out our comprehensive governance, risk, and compliance services.