In a workplace that is becoming even more remote and distributed, offboarding employees is complicated, error-prone and likely to open up privacy and security risks. Company data is no longer residing in a few, IT-sanctioned and centralized software locations. Rather, this data goes into multiple, standalone cloud software apps, many of them completely unsanctioned by IT.
Offboarding employees, hence, becomes a process that on one end, includes numerous, repetitive and manual tasks and on the other, a process which may not be able to fully remove the company data from apps used by the employee. It also becomes a process which may cause a real catastrophe for the company, should the data that the offboarded employee has access to be used in a malicious way.
Hence, it is time for executives to realize that improper offboarding of employees may seriously affect the bottom line, and prompt them to look for solutions for efficient, time- and effort-wise employee offboarding.
Remote work and the need to stay productive, together with the ease of signing up and expensing apps are key reasons for the exploding adoption of SaaS software in organizations. Research has shown that long after leaving, offboarded employees still have access to financial accounts, Salesforce or other business tool accounts. And at least half of them log into such an account with or without a malicious intent.
A low-level employee might be less likely to steal important company data. An influential one, however, is running a bigger chance of doing so, and might have even been using data in a cloud app that the IT is not even aware about. Hence, to guarantee the security of company data, IT should ensure efficient SaaS discovery in the first place, and fast and efficient offboarding, in the second.
The average number of years an employee is spending on a job is constantly getting reduced. In January 2012 the median years of tenure with an employer was 4.6 years, while in January 2020 those years are 4.1, down more than 10% (data is from the U.S Bureau of Labor Statistics). The bigger turnover is adding to an already chaotic and hastily done offboarding process, which is usually confined to a checklist document.
In addition, there are numerous subcontracted companies, freelancers, consultants and other external parties, who need access to company data and SaaS apps to do their job. Access is given, but rarely revoked appropriately once those people or companies terminate their relationship with the company. This further adds to the data security challenge that ITs are already facing, making the company exposed to compliance and security risks, productivity losses, etc.
Remote and distributed teams and the need to stay productive make companies face the situation of multiple SaaS apps accessing the company data, on company and personal devices, via secure or not that secure, public networks. Huge data is being generated and shared, including with personal emails. There is hardly a chance for supervision and control by IT.
Attention to improper offboarding is usually paid only after a company data abuse incident resulting from improper offboarding has occurred. At that time it is usually too late to take any remedy action.
It is important to realize that incomplete or inappropriate offboarding of employees can have serious consequences. Hence, you need to plan and get prepared for this process well.
Given that employees are usually departing on not so good terms with the company, it can be expected that if they can, they are likely to steal company data. How can data breach by former employees get prevented though?
There should be policies in place that do not allow such forwarding or sharing to take place, right from the moment the employee has joined the organization. Failure to do so may cause stealing of intellectual data and personal data, which can have serious financial and compliance results.
It is often the case that departments or specific groups of employees in an organization share the same pass for numerous SaaS apps. Usually it’s the same, easy to remember pass used across several tools. But, when an employee leaves, rarely does that password get changed.
Offboarding processes should ensure that such shared passwords get regularly updated. It is also a good practice to use password managers like LastPass so those passwords may get easily populated and updated, with no visibility on what the actual password is.
The offboarding process should ensure that an employee’s access to applications is terminated as soon as s/he has left the company. This should be done within shortest terms, with an extra check done on whether some applications still allow access via OAuth, even after the change on the user password.
Employees are nowadays accessing company data on both company and personal devices. Make sure to automate the wiping out of that data, as soon as the employee has departed, to protect against sensitive data exposure.
Companies are paying for numerous SaaS licenses and a big number of those is completely unused due to improper offboarding. Suggested actions that can keep unused licenses under control are:
The process of offboarding poses high risk for confidential data breaches and hence, there are compliance standards that provide guidlines specifically on how the employee offboarding should be accomplished. To avoid the risk of compliance violations, the following action can be taken:
This means that everyone should be assigned the lowest possible access that enables them to do their job. If higher access is needed, it can be given only temporarily and then set to expire, get automatically revoked, etc.
Observing this rule would ensure you are not running unneeded risks for unintentional or intentional abuse with data.
The logs should keep detailed information about what offboarding actions were done, when and by whom. Those logs would need to be presented during a compliance or certification renewals audit, which generally include examination of the offboarding process logs.
>> Regularly check for sharing of confidential information
Confidential information like social security numbers may get accidentally shared with colleagues or external parties, leading to compliance violations. You can use simple commands to check for such information being shared.
Depending on your industry or country regulations you may be required to retain specific employee data longer than usual. Accidental data loss may lead to legal issues so ensure you are properly retaining data, along with doing regular data backups.
The offboarding process generally includes cleaning of employee personal devices from any corporate data. IT can remotely clean devices but should be careful to restrict the clean-up to company data only and not affect personal information stored.
If a user offboarding has not been done properly, the negative consequences can be felt for months, particularly by employees who used to collaborate with or depended on the employee. How can we make sure those negative results are avoided or minimized after an employee has been offboarded?
With more SaaS applications being used by the average employee, the complexity of offboarding, as well as potential security and compliance threats, are becoming bigger. Thanks to IT management platforms like Oveo, however, offboarding processes can get completely automated. The advantages of automated offboarding, compared to manually executed one, are numerous:
Compliance audits require logs of every action taken throughout an offboarding process, including who did what and when. With manual offboarding. those logs might be found inside the interface of each SaaS app from which the user had been offboarded.
With automated offboarding, those logs are automatically generated for you and ready to be exported and presented in case of compliance audit.
Already convinced about the numerous benefits of automated offboarding? Sign up for a personalized Oveo demo and find out more on the ease of setting up offboarding automations with Oveo.