In a workplace that is becoming even more remote and distributed, offboarding employees is complicated, error-prone and likely to open up privacy and security risks. Company data is no longer residing in a few, IT-sanctioned and centralized software locations. Rather, this data goes into multiple, standalone cloud software apps, many of them completely unsanctioned by IT.

Offboarding employees, hence, becomes a process that on one end, includes numerous, repetitive and manual tasks and on the other, a process which may not be able to fully remove the company data from apps used by the employee. It also becomes a process which may cause a real catastrophe for the company, should the data that the offboarded employee has access to be used in a malicious way.

Hence, it is time for executives to realize that improper offboarding of employees may seriously affect the bottom line, and prompt them to look for solutions for efficient, time- and effort-wise employee offboarding.

What makes the employee offboarding process so complex nowadays?

>> The huge number of apps used by every employee in an organization

Remote work and the need to stay productive, together with the ease of signing up and expensing apps are key reasons for the exploding adoption of SaaS software in organizations. Research has shown that long after leaving, offboarded employees still have access to financial accounts, Salesforce or other business tool accounts. And at least half of them log into such an account with or without a malicious intent.

A low-level employee might be less likely to steal important company data. An influential one, however, is running a bigger chance of doing so, and might have even been using data in a cloud app that the IT is not even aware about. Hence, to guarantee the security of company data, IT should ensure efficient SaaS discovery in the first place, and fast and efficient offboarding, in the second.

>> The shorter employee lifetime in an organization

The average number of years an employee is spending on a job is constantly getting reduced. In January 2012 the median years of tenure with an employer was 4.6 years, while in January 2020 those years are 4.1, down more than 10% (data is from the U.S Bureau of Labor Statistics). The bigger turnover is adding to an already chaotic and hastily done offboarding process, which is usually confined to a checklist document.

In addition, there are numerous subcontracted companies, freelancers, consultants and other external parties, who need access to company data and SaaS apps to do their job. Access is given, but rarely revoked appropriately once those people or companies terminate their relationship with the company. This further adds to the data security challenge that ITs are already facing, making the company exposed to compliance and security risks, productivity losses, etc.

>> The spread of data across multiple apps and on numerous devices, including personal ones

Remote and distributed teams and the need to stay productive make companies face the situation of multiple SaaS apps accessing the company data, on company and personal devices, via secure or not that secure, public networks. Huge data is being generated and shared, including with personal emails. There is hardly a chance for supervision and control by IT.

What could be some serious consequences from offboarding not done well? What can we do about them?

Attention to improper offboarding is usually paid only after a company data abuse incident resulting from improper offboarding has occurred. At that time it is usually too late to take any remedy action.

It is important to realize that incomplete or inappropriate offboarding of employees can have serious consequences. Hence, you need to plan and get prepared for this process well. 

What are some of the negative situations your company may get faced with, if employees are improperly offboarded?

Data breach

Given that employees are usually departing on not so good terms with the company, it can be expected that if they can, they are likely to steal company data. How can data breach by former employees get prevented though?

>> Prevent forwarding of emails or file sharing to personal email accounts

There should be policies in place that do not allow such forwarding or sharing to take place, right from the moment the employee has joined the organization. Failure to do so may cause stealing of intellectual data and personal data, which can have serious financial and compliance results.

>> Reset shared passwords when an employee leaves the organization

It is often the case that departments or specific groups of employees in an organization share the same pass for numerous SaaS apps. Usually it’s the same, easy to remember pass used across several tools. But, when an employee leaves, rarely does that password get changed.

Offboarding processes should ensure that such shared passwords get regularly updated. It is also a good practice to use password managers like LastPass so those passwords may get easily populated and updated, with no visibility on what the actual password is.

>> Revoke access to applications 

The offboarding process should ensure that an employee’s access to applications is terminated as soon as s/he has left the company. This should be done within shortest terms, with an extra check done on whether some applications still allow access via OAuth, even after the change on the user password.

>> Remove company data from company and personal devices

Employees are nowadays accessing company data on both company and personal devices. Make sure to automate the wiping out of that data, as soon as the employee has departed, to protect against sensitive data exposure.

High SaaS expense for unused licenses

Companies are paying for numerous SaaS licenses and a big number of those is completely unused due to improper offboarding. Suggested actions that can keep unused licenses under control are:

  • Account for suspended licenses in each SaaS and only allow such licenses within a specific limit, e.g up to 5
  • Only allow company credit cards to be used for IT-managed SaaS apps
    To ensure IT visibility and control on the SaaS licenses, enforce a company policy where only IT-managed SaaS apps can be paid via the company credit cards. Then review every single recurring expense on the company cards and ensure it is done for an IT-managed app. You can also revise any company policies that allow the employees to expense cloud software payments.
  • Make it a rule to reassign licenses from offboarded employees to newly onboarded team members, and only after those licenses are over, purchase new ones.
    Thus you are less like to leave unused licenses hanging around and being paid for.

Confidential data breaches and compliance violations

The process of offboarding poses high risk for confidential data breaches and hence, there are compliance standards that provide guidlines specifically on how the employee offboarding should be accomplished. To avoid the risk of compliance violations, the following action can be taken:

>> Always stick to the least privilege rule

This means that everyone should be assigned the lowest possible access that enables them to do their job. If higher access is needed, it can be given only temporarily and then set to expire, get automatically revoked, etc.
Observing this rule would ensure you are not running unneeded risks for unintentional or intentional abuse with data.

>> Ensure you have system logs showing all actions done during the offboarding process

The logs should keep detailed information about what offboarding actions were done, when and by whom. Those logs would need to be presented during a compliance or certification renewals audit, which generally include examination of the offboarding process logs.

>> Regularly check for sharing of confidential information

Confidential information like social security numbers may get accidentally shared with colleagues or external parties, leading to compliance violations. You can use simple commands to check for such information being shared.

>> Make sure you are retaining data as long as needed

Depending on your industry or country regulations you may be required to retain specific employee data longer than usual. Accidental data loss may lead to legal issues so ensure you are properly retaining data, along with doing regular data backups.

>> Ensure you are not removing personal employee data during the clean-up of corporate one

The offboarding process generally includes cleaning of employee personal devices from any corporate data. IT can remotely clean devices but should be careful to restrict the clean-up to company data only and not affect personal information stored.

Reduced productivity for months after the employee has been offboarded

If a user offboarding has not been done properly, the negative consequences can be felt for months, particularly by employees who used to collaborate with or depended on the employee. How can we make sure those negative results are avoided or minimized after an employee has been offboarded?

  • Ensure you have documentation for every process in the organization and for every tool, script, automation or other result created by each of the employees
    Such documentation should, as a rule, be created on an ongoing basis and not right before the employee’s leave. Make sure that any employees taking over the leaving employee’s chores are familiar with the documentation, have discussed any questions on it and have spent time working with the process/tool/script/automation which the employee will be abandoning.

  • Define how the email of an offboarded employee should be handled
    You need to decide whether the departing person’s email would be accessible for his/her manager, if forwarding to IT or a predefined email account would be set up for future communication to this email, whether there should be an autoresponder set up and so on. This is an important step since partners, customers, leads, etc may not be aware of the person’s leaving and getting no reply or autoresponder of any kind may result in missed business opportunities for the company.

  • Ensure that calendar and owned resources have been appropriately transferred or handled
    If a person’s account is simply deleted, then all calendar events, Drive files, etc will be also wiped out. To ensure that no important company documentation has been lost or booked resources disappeared, ensure that the ownership of the drive files and of any booked upcoming meetings has been transferred to a manager or a designated account.

  • Ensure automation of your offboarding processes
    Offboarding employees is a process including numerous small and repetitive tasks. Executing them manually, with the precision required, may take a lot of IT time. Take advantage of IT automation platforms like Oveo to have those tasks accomplished as part of an automated workflow, making sure that nothing important has been missed.

Advantages of automated employee offboarding 

With more SaaS applications being used by the average employee, the complexity of offboarding, as well as potential security and compliance threats, are becoming bigger. Thanks to IT management platforms like Oveo, however, offboarding processes can get completely automated. The advantages of automated offboarding, compared to manually executed one, are numerous:

  • Less room for human error
    With automation, once the set of offboarding tasks gets defined, the offboarding process gets executed - on time, as specified, with no chance for human error or skipping a task. IT personnel may change, their skills may be different, but the offboarding is getting properly accomplished, every time, with no need for training.

  • Easy adjustments and updates to the offboarding process
    If new offboarding tasks need to get added, the automation workflow can get easily modified to accommodate those.

  • Timely execution
    Employee offboarding is a time-critical process. It is not only important to offboard the employee properly, but also do it as soon as s/he stepped out of the company so any security risks are minimized. With automated offboarding, a host of offboarding tasks get executed at a tiny fraction of the time it would take in case of manual execution. On one end, the IT people are saving precious time, and on the other - timely offboarding eliminates the risk for data breach and other security and compliance issues.

  • Easy spotting of issues during the offboarding process
    Should an error occur during the automated offboarding, the IT automation system is taking care to display the respective notifications, with information on what broke, so you may instantly take remedy actions.

  • Easy compliance

Compliance audits require logs of every action taken throughout an offboarding process, including who did what and when. With manual offboarding. those logs might be found inside the interface of each SaaS app from which the user had been offboarded.
With automated offboarding, those logs are automatically generated for you and ready to be exported and presented in case of compliance audit.

Already convinced about the numerous benefits of automated offboarding? Sign up for a personalized Oveo demo and find out more on the ease of setting up offboarding automations with Oveo.


Get your personalized demo today

Let us show you our innovative approach to SaaS Management or connect your data for an instant SaaS Audit. Request your personalized demo below or reach out on the chat.