While protecting your data from external cyber attacks and educating employees about inside threats are essential, what if an internal threat turns into an external one? The risk posed by departing employees is often overlooked, yet it can be significant and detrimental to a company's data security.
In this article, we’ll provide you with guidance on how to protect your sensitive and confidential data when an employee is departing the company. What should you consider in the employee offboarding process?
The risks of departing employees
As much as you want to believe that your employees want nothing but the best for your company, you need to maintain a healthy level of doubt for the ultimate good of everyone. If you do not protect your company’s data from the bad guys, even the good guys will suffer.
That’s not to say that departing employees magically turn bad overnight; insider threat is a thing to look out for even in situations where nobody is being terminated. Data loss may result from malicious or unintentional action. For example:
- Employees often have access to sensitive information, such as customer data or trade secrets, which can be misused or leaked.
- An ex-employee could share confidential information with their new employer, giving them access to valuable information or causing you to lose your competitive advantage.
- If an employee leaves on bad terms, they may intentionally cause harm to a company by deleting or modifying data or even by using it for personal gain.
- Well-intentioned employees may accidentally leave behind sensitive information on their devices, such as laptops or smartphones, which can then be accessed by unauthorized individuals.
To prevent such things from happening to your company, you need to have an employee offboarding process in place. As they say: “By failing to prepare, you are preparing to fail”.
With clear offboarding policies, you won’t be caught off guard when an employee leaves, and you’ll be able to protect your company’s sensitive data by following a step-by-step process based on an offboarding checklist.
Developing an offboarding plan
You want employee departures to be smooth and, in a perfect world, without any negativity. The HR processes behind this are one thing, and the technical aspects of an employee leaving are another. Every step relating to protecting the company’s data upon an employee’s departure should be set out in an offboarding plan.
This way, in the event of employment termination, you’ll be able to whip out the offboarding plan and follow your offboarding checklist without leaving anything up to chance or imagination.
Your company’s offboarding plan should cover these main areas:
- Communication: Once you inform the employee of the termination (or vice versa), it’s good practice to let them know what to expect in the coming days. This is also the perfect opportunity to remind them of the confidentiality agreement they signed when they joined the company.
- Access and devices: Revoke the employee’s access from any company networks, email, databases, and any software your company uses. Follow this up with any third-party systems you use, like cloud services or social media accounts. Have a process set up for collecting all company-owned devices from the employee.
- Exit interview: As the final step of the offboarding process, conduct an interview to get any feedback from the employee and use the opportunity to remind them of their confidentiality obligations and other legal requirements.
It's not just about preparing for a smooth transition when an employee leaves amicably, but also about anticipating potential risks that could put your business at risk. An effective offboarding plan is like a safety net that catches your company's sensitive data from falling into the wrong hands in all potential situations.
There are scenarios that require careful consideration in your offboarding checklist. No matter what the circumstances, you must cover all your bases to ensure a secure handover of data and equipment.
Perhaps you’ll need to terminate an employee (or group of employees) and are expecting an investigation or legal action. Or, you're dealing with a remote worker and/or implementing a bring-your-own-device (BYOD) policy.
It's crucial to tailor your offboarding plan to address the unique challenges of each situation that could transpire in your particular organization.
Creating an offboarding checklist
A practical part of an offboarding plan is an “offboarding checklist” – it’s a tool used to ensure that nothing is overlooked during the employee offboarding process. This ensures that all necessary tasks are completed, leaving no room for oversights that could compromise the company's sensitive information or result in data loss.
The offboarding checklist will help the departing employee wrap up their work and complete all administrative tasks associated with leaving the company.
Here are examples of what an employee offboarding checklist should include:
- Remind them of confidentiality: Remind the employee of their confidentiality obligations and ensure they do not take any confidential information with them or share them with anyone.
- Recover company assets. The employee returns all hardware, including phones, laptops, access keys, tokens and any other company-owned devices. If you allow employees to buy their phones or laptops from the company upon departure, make sure they hardware is wiped clean of any data or access information.
- Revoke systems access. Make sure the employee will not have access to any company networks, emails, cloud services or social media accounts after their departure. Transferring access to another employee (where necessary) is also part of this step in the offboarding checklist.
- Reset passwords. This is a continuation of the previous point on the list: all passwords associated with the departing employee's accounts should be changed.
- Collect employee’s information. It’s important to have all of the departing employee’s information on hand in case any formalities arise after their departure.
- Perform an exit interview. An exit interview can help the company identify potential security risks posed by the departing employee. It’s also the time to remind and detail the employee’s obligations regarding sensitive data, trade secrets, and other information they had access to. Last but not least, it is a good opportunity for companies to gather feedback to identify areas where their data protection policies may be lacking or where they could be improved.
There are other areas that you will want to touch upon in your offboarding checklist, from internal communication, payroll and contractual obligations, to the transfer of knowledge and updating the company databases, to name a few. We won’t dig deeper into those topics here, but they are a crucial part of the offboarding process and shouldn’t be forgotten when creating an offboarding checklist.
Implementing offboarding policies
Policies that outline expectations for departing employees can help mitigate potential risks associated with data breaches, intellectual property theft, or other security concerns. But it’s not just the company that is being protected by an offboarding policy, the departing employee also benefits from it.
A well-structured offboarding policy can make all the difference in the employee's experience, making sure that they don't feel burdened by a disorganized or disrespectful exit. And not only does this foster a positive culture for your departing employees, but it also contributes to your company's reputation, demonstrating your commitment to treating all employees with dignity and respect, regardless of their role, seniority, or the circumstances of their departure.
Well-documented policies also help companies comply with relevant laws and regulations regarding data protection. As such, they are an important part of any company’s data loss prevention system.
When setting up your offboarding process, make it part of your company’s information security management system (you can refer to ISO 27001 for guidance).
The value of an effective employee offboarding process
A solid offboarding plan can help protect your company from many potential risks, such as:
Legal liability: If an ex-employee takes sensitive or confidential data out of the company, the company may be held responsible for any damages caused by the disclosure of such data, including lost revenue, legal fees, and fines.
Breach costs: If data does get stolen or taken by the departing employee and the company suffers a data breach as a result of it, the costs for the company can skyrocket pretty fast. Companies may also face additional costs associated with breach notification, data recovery, and system restoration.
Reputation damage: Any data loss incident will damage a company's reputation, resulting in a loss of customer trust and, ultimately, business and revenue.
Loss of intellectual property: When employees depart from a company, they may take confidential information or trade secrets with them, which could potentially be shared with their new employer. To prevent the loss of intellectual property, it is crucial to handle this matter through the use of nondisclosure agreements (NDAs).
Regulatory compliance: Your company may be subject to various regulatory requirements, such as HIPAA, GDPR, or CCPA. Failure to comply with these regulations can result in significant fines and legal penalties.
You don’t want to leave any loose ends when your employee is transitioning out of the company. By creating a solid offboarding process, you can minimize the risk of data loss or theft, protect your company's interests, and avoid scrambling at the last minute, potentially putting your company's data security and reputation at risk.