Blog - Secure Offboarding: Protecting Data When Employees Leave | Reveal Risk

So, it’s a Friday afternoon at the office, just after lunch. You’re wrapping up your week and starting to think about your weekend plans when you hear a knock on your office door. You look up and Casey, who has been uncharacteristically quiet all day, asks for a second to chat. You can tell from her face that something is on her mind, and she looks nervous. She then explains that she’s putting in her two-week notice. Now what?     

Of course, there are the usual steps: inform your supervisors, contact Human Resources, appropriately pass the news on to the rest of the team, and maybe even set aside time for a farewell lunch. But what about the technical side of things? That aspect seems more straightforward when it comes to onboarding someone. For example, new employees will surely inform you if they don’t get set up with payroll and benefits. Training is also specifically created to introduce a new employee to the company. Even legal documents serve as a checklist for completing the process correctly. However, this isn’t always the case when someone is offboarding. The difference? Once the employee leaves, they’re gone for good. A disorganized offboarding process can be problematic, if not dangerous, to any company.     

As part of assisting in Casey’s departure, specific steps must be taken to protect the company. It is vital to keep track of Casey’s company devices like computers, phones, and external storage drives because of the intrinsic value of these items. More importantly, the company data stored on those devices and access to company resources are likely worth more than the devices themselves. Just as Casey’s keys and access cards must be collected, so must any access she has to email accounts, file shares, company resources in the cloud, or other parts of the company network that are not accessible to the public. This security measure and others we’ll suggest in this article serve to keep control of access to all company-owned resources and data, therefore protecting your company and employees. These steps also protect people like Casey from future accusations of wrongdoing against the company.     

Why is offboarding an employee properly such a concern?     

Well, your employees are considered “insiders” because they have access to your company data, networks, and sensitive information as part of their job. Once they leave, you want to ensure that access to company resources is shut off. IBM reported that out of 4,716 insider threat occurrences, “2,962 were due to negligent or inadvertent employees or contractors and 1,105 were caused by criminal and malicious insiders.” This illustrates the real risk of former or current employees exposing sensitive company resources, whether intentionally or not.   

Departing employees should be a security focus in every business because they have significant access to your company’s most sensitive information. They know a lot about your business, including its clientele, trade secrets, business objectives, and access to a surprising amount of data/documents. Not only should you protect your assets by performing some basic technical procedures, but you should also mitigate the risk of your sensitive information being shared through other means, even accidentally.     

Unfortunately, insider threats stemming from disgruntled employees are far too common. This calls for a rigid offboarding process to improve your company’s security. But before we talk about what to do while offboarding, let’s highlight what NOT to do. Don’t:  

• Treat the employee with contempt, as this can set the tone for the remainder of their time at your company. Treat them respectfully, especially while they still have access to sensitive company resources as they finish their projects.  
• Pile on work last-minute. Instead, this time should be used to delegate their work to others. Your employee is ready to leave anyway, so don’t make exiting a burden for them.  
• Reduce the employee’s access to company resources. There’s no sense in doing this one or two weeks before their departure if they still have loose ends to tie up. Instead, do this within their last 24 hours.  
• Skip the exit interview. Exit interviews are a great way to understand potential areas of improvement within the business and the opportune time to get back all your company hardware.     

Most folks aren’t going to have malicious intent when they leave a company. However, even when a departing employee is leaving on good terms, the potential for problems related to improper offboarding may still exist. This is an easy process to neglect. Let’s put it this way: when new employees start, they need stuff. They aren’t going to be very productive if they don’t get things like access to certain systems, a computer, and a way to get into the office. When they leave, getting all that stuff back and removing their access to things like email accounts and remote access can easily be set aside. I can’t overstate the importance of training your staff to understand the potential trouble this can cause.    

Here’s an excellent example: In May 2021, Colonial Pipeline was the victim of a ransomware attack. This greatly affected everyday life in the United States. People panicked and hoarded gas, canceled flights, and disrupted the lives of millions of people. It brought cyber-related issues like supply chain risks to nearly everyone’s attention. Unless you followed the story carefully, you may not know that the entire attack could have been prevented with proper offboarding processes.               

Like many other companies, Colonial Pipeline used a Virtual Private Network (VPN). While that is no small part of the story, it is not the main issue from the perspective of this article. Most relevant here is that the VPN was accessed with credentials (username and password) belonging to an inactive employee. The credentials used were reported to have been part of a data leak unrelated to Colonial Pipeline. That means the credentials to log into Colonial Pipeline via the VPN were part of a data leak from a different company. These types of data leaks frequently happen from various sources.   

On a side note, this is why cybersecurity professionals advise people to avoid using the same password for different accounts. Arguably, many things besides proper offboarding processes could have prevented this attack. However, it cannot be denied that, had the proper offboarding procedures been followed, the credentials would not have worked to log into the VPN, which allowed access to Colonial Pipeline’s network, facilitating the ransomware attack, costing untold millions of dollars, and affecting the lives of millions of Americans.    

Ultimately, making the offboarding process as smooth as possible will make it easier and reduce security risks for everyone involved. *Drum roll, please* The moment you’ve been waiting for. Below is a checklist of our recommended offboarding tasks:   

• Inventory – If possible, this step should begin during the onboarding process. A detailed inventory of every device issued to the employee should be documented, along with any data and accounts to which the employee has access. Electronic access inventories are also helpful for account and access management. While there are tools to automate part of this process, they can take a lot of time and effort to scale for larger companies. You’re better off keeping a record of this from the start. Try to update this throughout the employee’s time at your company and review it for accuracy during the offboarding process. 
• Schedule – Once the employee has given their notice, determining what devices and access the employee needs to finish any outstanding tasks should be chosen. Any devices, data, or account access that is not required at this point should be immediately collected and terminated. This applies to accounts and data employees can access with their personally owned devices and includes accounts like email and file shares. In other words, practicing the principle of least access limits the exposure of the company and the liability of the departing employee. It protects both of you!  
• Monitor – Monitor the accounts and data that the departing employee continues to access. Yes, this is about trust, which may hurt feelings, but it’s necessary. Maybe it was best said in Jerry Maguire: “It’s not show friends, it’s show business.” Monitoring remaining accounts for any unauthorized copying or transferring of company data is mainly about protecting the company, but it also protects the departing employee from any mistakes or accidental activity, and unfounded accusations of malicious activity down the road.
• Retention – Plan to retain any data created by the employee. Once this data is deleted, it may be difficult or impossible to recover it. Having a plan to keep and protect this type of data will save you a lot of time and money in the long run.
• Finalize – Before the departing employee leaves the building (either physically or virtually) for the last time, complete a final inventory of all devices and access to ensure that everything has been collected and that access has been terminated appropriately on both company and personally owned devices. If appropriate, set up forwarding for communications like email and voicemail. Lastly, ensure that passwords are changed for any administrator or group accounts that the employee may have had access to. The exit interview is an opportune time to address most of these tasks.    

Proper offboarding procedures are easy to skip, and it can be challenging to realize that the appropriate steps are not taking place, at least until it creates a problem. Then, it may be disaster recovery time. In 2020, the Ponemon Institute reported that the average costs associated with criminal and malicious insiders exceeded $750,000 per incident. That’s enough to put many companies out of business, especially if they lack appropriate cyber liability insurance coverage or compliance.   

Reviewing the policies, procedures, and critical processes that address onboarding and offboarding processes can help highlight what your company is doing well and opportunities to reduce risk around insider threats and data loss. By assessing preparedness to detect, defend against, and recover from a cyber incident, including potential insider threats, the experts at Reveal Risk can assist your business in reducing cybersecurity risks through their people-and-process-first approach.