Coronavirus (COVID-19), HR Management & Compliance

4 Keys to Securely Offboard Employees

Organizations today face many cybersecurity concerns across the board. With most businesses currently supporting remote workers due to the COVID-19 pandemic, attackers have been doing their best to capitalize on the current situation.

Source: Den Rise / Shutterstock

In addition to the cybersecurity risks posed by attackers, there are other security concerns for your organization, starting with your employees. If not offboarded correctly, employees who leave your organization can expose your businesses to tremendous threats, including data leaks. 

The Crucial Role of HR in Onboarding and Offboarding

HR departments play a crucial role in ensuring the processes and procedures needed for the proper onboarding and offboarding of employees are carried out correctly. Typically, much of this work deals with the employees directly, but there are also outside elements, such as communicating with external teams to ensure resources and access are either granted during the hiring process or discontinued at the end of employment.

Often, a wrinkle in the communication with these external stakeholders may be where a security risk first presents itself. If access is not set up securely or taken away immediately upon an employee’s exiting the company, there can be holes where data may be lost.  

While the onboarding process helps introduce an employee to the culture, team, and overall philosophies and tools of the organization, the offboarding process helps manage the employee’s experience when he or she leaves the organization.

Proper offboarding should include all the steps needed to successfully part ways with the employee so both the employee and the organization have a positive experience while protecting valuable data from being either exfiltrated or leaked.

Proper Offboarding Is Essential for Good Cybersecurity

When looking at effective security practices, the offboarding process is an essential part of your organization’s overall cybersecurity practice. Improperly offboarding employees who have access to your business-critical data can lead to a wide array of data security issues, including:

  • Data loss—Data could be deleted or intentionally destroyed by a former employee.
  • Data leak—Sensitive, business-critical data can be accidentally or deliberately leaked by a former employee who was not offboarded correctly.
  • Compliance and regulatory violations—Employees who are not appropriately offboarded and who are involved with a data breach can leave your organization exposed to further complications.
  • Tarnished business reputation—Lost customer confidence and a tarnished business reputation can have an untold fiscal impact on your business.
  • Wasted spend—Employees who are not offboarded correctly may leave the organization wasting spend on unnecessary cloud accounts and other resources that could have been repurposed or discontinued altogether.

Experiencing any of the above results of improper employee offboarding can be disastrous to your business.

Offboarding Processes Related to Data Security

The vital offboarding processes that are directly related to the security of your organization include: 

  • Reclaiming assets
  • Revoking employee access to company accounts
  • Migrating business-critical data
  • Protecting against data exfiltration

Reclaiming assets. Reclaiming assets is a crucial part of employee offboarding. Most employees who have spent any time with an organization will have various company assets in their possession. These may include the following:

  • Laptops
  • External storage devices
  • Mobile devices (mobile phone, tablet, etc.)
  • Keys/fobs

Most employees today are using many different kinds of technology to empower business productivity. At a very minimum, this may include a company-issued laptop and a mobile device such as a cellphone. Technology devices such as laptops and cellphones will most likely contain business data that could be business-critical, sensitive, or both.

Reclaiming company assets is generally the first step in the offboarding process. Many HR departments will have a “checklist” of sorts to ensure company assets are returned before the employee makes his or her exit.  

Revoking employee access to company accounts. Businesses today are utilizing many different online tools, services, products, and solutions. As an employee becomes part of the organization, there is a good chance he or she may be granted access to systems and resources used by your business for business-critical tasks.

A crucial step in the offboarding process is to revoke the employee’s access to all company accounts. Revoking access helps to protect the business from any actions taken by a former employee to damage the business, destroy data, or leak sensitive information. This also helps to protect the employee from any liability or implication in any data leak or other cybersecurity event that happens afterward.    

HR will generally work closely with the IT department to coordinate the termination of access to company accounts. The employee’s access may be terminated after his or her last day of employment; however, this may vary depending on your organization’s offboarding and security policies.   

Migrating business-critical data. An area that can lead to a great deal of complexity for organizations is the account and associated data of the employee leaving the organization. This is especially true with accounts that exist in public cloud software-as-a-service (SaaS) environments. The employee who is exiting may have played a key role in specific business processes. The person may also have other essential data linked to his or her cloud account.

Often, organizations continue to pay for the former employee’s cloud account because it’s easier to pay for the license than migrate data between accounts using the native tools provided in the cloud. Native tools can be too cumbersome, problematic, or simply nonexistent to migrate data between user accounts effectively. This helps fuel the problem of simply leaving existing accounts of former employees rather than relocating them.  

While this may be sustainable after one or two employees leave, the costs begin to add up over time as employees come and go. Organizations can find themselves paying for dozens, if not more, unused accounts to maintain access to the account data. A third-party tool can help migrate data between an existing cloud SaaS account and another user account in the cloud. This allows organizations to reclaim the spend on any unused accounts that may exist. It also helps consolidate and organize business-critical data effectively and efficiently.

Protecting against data exfiltration. Protecting against data exfiltration by a leaving/former employee is extremely important. Data exfiltration is also known as “data theft,” or the stealing of data from your organization. This could be intellectual property, clients, valuable contacts, or documents the employee may want to take with him or her to use for his or her benefit or the benefit of his or her new employer.

Aside from simply stealing an organization’s data to be used unscrupulously, data exfiltration can potentially lead to an all-out data leak. A data leak is arguably one of the costliest cybersecurity risks that can affect your business. A data leak happens when sensitive data are leaked to the public. Note the following statistics from IBM’s 2020 “Cost of a Data Breach Report”:

  • The country with the highest cost of a data breach—United States, $8.19 million
  • Highest industry average cost—health care, $6.45 million
  • Average time to identify and contain a breach—279 days
  • Average size of a data breach—25,575 records
  • Average per-record cost for a data breach—$150

Aside from the costs of a data breach, there can be compliance and regulatory fines and other financial consequences levied against your organization if you are found in violation. The General Data Protection Regulation (GDPR) can levy fines up to 20 million euros or 4% of the total global turnover for severe violations. The financial consequences to your organization for an all-out data leak or a compliance violation are certainly not insignificant.

Unfortunately, in many cases, an employee who sets out to exfiltrate data to use elsewhere will begin doing so before announcing his or her intent to leave. This makes it difficult and unlikely that traditional HR processes for offboarding will effectively eliminate these types of risks simply by reclaiming business assets from the employee.  

By the time the assets are returned to the business, any data that might be exfiltrated will have already been copied by the employee to personal storage locally or even to a private cloud environment. Especially if your organization is leveraging public cloud environments, it can be challenging to identify and gain visibility to abnormal behavior, such as an employee downloading corporate data to his or her local device or personal cloud.   

This is where technology can help bolster the processes and procedures in place from an HR perspective to prevent data exfiltration from happening by an employee who is on the way out. By leveraging existing technology solutions and having a clear plan for the secure onboarding and offboarding of employees, organizations can mitigate much of the risk associated with the transition of employees in and out of the company.

Dmitry Dontov is the CEO and Founder of Spin Technology, a cloud data protection company based in Palo Alto, California, and a former CEO of Optimum Web Outsourcing, a software development company from Eastern Europe. As a serial entrepreneur and cybersecurity expert with over 20 years of experience in the security and team management, Dontov has a strong background in the cloud data protection field, making him an expert in SaaS data security who has an ability to influence teams. He is an author of two patents and a member of Forbes Business Councils and YEC. AI & Blockchain fan.