As the labor market gradually recovers from the COVID winter, the number of job openings finally surpassed the unemployed, reaching 10.9 million in Q3 2021. The separation rate has also floated up 3.9% to 5.8 million, which indicates more employees are leaving their current company voluntarily or involuntarily.
Due to that fluctuation in personnel, HR departments have been under huge workloads, multitasking in the external search of new talents and preparing internal handovers and orientations.
The onboarding process is usually made a higher priority compared with offboarding, as it directly affects how well new hires adjust to the workflow and whether they have access to all the tools they need. But from a security perspective, offboarding needs more attention. Any negligence in this process can create security vulnerabilities that are hard to detect by internal HR and IT departments, and because of the often lack of communications between these two, cybercriminals can easily use the information gap to take advantage of these security loopholes and cause harm to the whole organization.
Understanding the importance of the offboarding process and the risks that might result from negligence is only the beginning. This article outlines these potential risks and provides a seven-step guide that HR representatives should follow when they offboard an employee so they can protect the organization and employees from falling prey to hackers or scammers.
Monitor Online Traffic During Final Week
The top factor in data leaks and data loss is employees leaving a company. A lot of employees will make copies of files and information they have access to and take them with them for future reference. That is why when employees give their notice, the IT department should pay close attention to the online behavior of these employees, as well as limit or restrict their access to confidential information, to avoid potential leaks. Data loss prevention (DLP) tools are essential in detecting and preventing this type of activity.
Sync with IT Department
Many corporate e-mail compromises only happen because of information asymmetry between different departments. Cybercriminals can easily impersonate a former employee to send phishing e-mails to current on-file workers who are not familiar with the personnel changes.
Therefore, HR reps should inform the IT department immediately when an employee has given notice or left the organization. Once IT is notified of the change, they can either close the accounts immediately or monitor for any irregular online traffic from those accounts and intercept them.
Broadcast Personnel Changes
Closing the information gap among all parties is the key to reducing potential risks. That’s why it is important to notify all employees and vendors when an employee no longer represents the company. This step is often forgotten or overlooked. Former employees can use their previous position or accounts for social engineering hacks and continue to access sensitive and confidential information.
Keep the Roster Up to Date
Delete old accounts from the domain server. Inactive accounts on the server can be vulnerable loopholes due to their lack of online activity and protection. Criminals can easily distinguish these accounts and breach the domain system through them. Even if the team needs more time to transfer the e-mail correspondences and files from the old account, it is crucial to keep track of these requests and give a deadline for these handovers. Once the deadline is met, IT departments should immediately close the accounts.
Recovery of Borrowed Devices
The HR department and IT should make sure employees return any devices provided by the employer, such as laptops, computers, and mobile phones. Before distributing these devices to other workers, make sure all devices are recovered and restored to factory settings.
Update Passwords and Digital Access
Coordinate with the IT department to update the passwords to the network, cloud software, financial institutions, and vendor sites if the departing employee had access. Deactivate the former employee’s e-mail addresses to make sure they are not viable for new account registration, and revoke any access privileges, including remote databases and the virtual private network (VPN).
Double Protection
Establish a clear policy so departing employees are aware that corporate data should remain confidential and any future access or possession is against the organization’s policy. If necessary, a mobile device management (MDM) tool can be used to clean corporate data off of personal devices such as mobile phones and tablets.
HR employees play an essential role in guarding corporate information security because they have the latest information on personnel changes and handle the upfront communication with new hires and previous employees. Closing the information gap and making sure the IT department and other employees are aware of the latest changes in HR should be their priorities. Offboarding is as important as the onboarding process, and only when both are handled with caution will companies have a healthy information security profile in the long run.
Ara Aslanian is the CEO of Inverselogic, specializing in serving small-to-medium-sized businesses as well as local and state governments with comprehensive IT products and services.