Employees come and go for a variety of reasons. If you’re lucky, they’ll be very cooperative with the offboarding process, but this isn’t always the case. And even if they are, you still have to take it with a grain of salt. Some say that calm and cooperative offboarding is often the most dangerous because people aren’t as diligent when the situation seems lax.
If these moments have any uncertainty, they become rife for a scammer or hacker to take advantage of it. A recent study by Torii found that 76% of IT professionals see offboarding as a significant security threat.
Thankfully, offboarding processes are relatively simple to put together, and if you’ve built a cyber security awareness culture within your organization, you’ll have no issues applying it.
This article will explain the different types of offboarding, mention the risks associated with these moments, as well as discuss the best practices to make them as smooth of a process as possible.
What is an offboarding process, and why is it important?
An offboarding process is a set of guidelines for employees leaving the company or their current business unit. It’s also important to note that offboarding doesn’t always mean the employee is fired or changing jobs. It can simply be a contractor giving back a device or even an employee changing departments or branches within a large organization.
For smaller companies, it’s often simply a checklist sent to employees on their last day, reminding them of what they must do technology-wise before leaving. It becomes a much more involved process for larger organizations, with tasks disseminated across the HR and IT departments.
An example of a non-IT task within an offboarding process would be an exit interview to learn more about why a person is choosing to leave the company.
The most common IT tasks in offboarding would be password resets or transfers, email and application access resets, return slips for laptops and other devices, and data transfers.
Any company that wants to protect its intellectual property must have a detailed offboarding process.
In the case of terminating an employee, cutting off access to emails and company data during a layoff before employees learn their situation can feel a bit ruthless, but it’s the only way to prevent security risks and malicious actions.
Security risks for organizations during layoffs?
Layoffs are a particularly trying time for any organization. Mass job loss, workload changes, disgruntled ex-employees, and countless data transfers as positions shift. In most cases, the security risks created during layoffs are not malicious.
It's not hard to see why an ex-employee might not be the most diligent about the security of an employer who just laid them off. It's also fairly common to see employees actively try to hurt the company that just put them out of a job. Thankfully, a robust offboarding process will cover both situations.
There are several kinds of security risks to keep in mind when thinking about layoffs:
- Abusing admin privileges: A layoff is a prime moment for an employee to steal company data by misusing access that hasn't been revoked yet.
- Forwarding data to personal email: Employees may also attempt to transfer confidential information to their personal email addresses before leaving.
- Return of company devices: Most companies give their employees laptops, whether remote or not. Proper offboarding will ensure the device remains safe and cannot be tampered with.
A handy employee offboarding checklist
The best way to ensure nothing gets missed during a troubling time like a layoff is to have a checklist to follow step by step. There are items that should be specific to your organization, but the following applies to any company:
- Cut access to email and all work software. Ideally, this should be done during the meeting announcing the news in the case of layoffs and at the end of the last workday for an employee leaving. The key is to remove access right after the employee leaves the premises for the last time.
- Deactivate the user and backup their files. The user should be fully deactivated in the system to prevent any remote malicious access, but keep a copy of all the associated files. Their coworkers might need it for future reference.
- Change passwords on shared software. Many companies will rely on software with a shared password or have seats for every employee within a SaaS platform. Make sure to change shared passwords and delete user seats in all software.
- Device return. Keep a list of all devices given to employees and follow it as a checklist on the employee's last day. If an employee is remote, send them a prepaid return slip to ensure you have proper tracking on the delivery and make it as seamless as possible for the ex-employee.
Employee offboarding best practices
A proper employee offboarding process is all about planning and solid data gathering. The most crucial task to good offboarding is making sure your employee records are good and kept updated during their employment. A good device ledger, a current software list, and a password manager will make offboarding much easier.
Offboarding is about protecting a company’s intellectual property. Remember that the best way to achieve that is to ensure the process is as simple and convenient as possible for the employee. Most security breaches during offboarding are unintentional and often result from a task like returning a device being too complicated or demanding.
Another crucial best practice is making the process as empathetic as possible. Layoffs are often stressful and dehumanizing for those affected, and a lousy employee offboarding process could be the last straw that leads an employee to lash out. Properly and respectfully communicated offboarding steps will go a long way in protecting you.
Offboarding to prevent security risks
A good employee offboarding process should be seen as a branding activity. It reflects the type of company you run and will be widely publicized in the case of massive layoffs. In most offboarding situations, companies would love to see the employee return eventually in a few years, and the last impression they get from a company is crucial in making this scenario happen.
Offboarding is just like any other cyber security process. It's based on proper planning, data gathering, and ensuring every detail has been accounted for. The security risks created during these times are often simple mistakes that can easily be prevented.
Learn How to Mastermind a Security Awareness Program in 5 Steps!
Click here for step-by-step guidance on how to develop an effective security awareness program that enhances security behaviors.