The Threat of Ex-Employees: Time to Update Your CT Company's Offboarding Process

One of the greatest threats Connecticut companies face when it comes to data security is ex-employees. Whether someone has been fired or left the company, failure to remove old passwords and update security protocols can leave corporate systems vulnerable to attack.

You wouldn’t want your sales database to fall into the hands of a competitor, and you wouldn’t want a disgruntled ex-employee wreaking havoc on your files. It’s essential to implement a comprehensive offboarding process for departing employees to protect corporate data assets, but it is surprising how few Connecticut businesses have the necessary exit protocols in place.

According to a survey of 500 U.S.-based IT managers conducted by OneLogin, 48 percent are aware of former employees who still have access to corporate applications, and 50 percent say that ex-employee accounts remain active for more than a day. Twenty-five percent report that it takes more than a week to deprovision former employees, and another 25 percent aren’t sure how long accounts remain active for ex-employees. More importantly, 20 percent say that failure to do a proper offboarding or deprovisioning of departing employees has contributed to a data breach.

Remember when Sony Entertainment was hacked in 2014? It ultimately was determined that the hack exploited a dissatisfied employee’s access that was still available. As a result, thousands of employee records were compromised, dozens of lawsuits were filed, and damages rose to an estimated $100 million. The Sony hack could have been prevented with proper deprovisioning procedures.

Every Connecticut business needs to take steps to protect itself from former employees looking for revenge or to exploit services and applications.

Develop an Offboarding Security Checklist

Just as you have a provisioning strategy to set up new employees with access to corporate assets, you need to reverse the process and create a checklist of company resources that need to be secured once an employee leaves the organization. Start with the list of corporate assets that were issued when the worker began employment and then review other applications and assets that may have been added during their time with the company.

Here is a list to start the process:

1. Physical assets: Obviously, any company-issued equipment needs to be returned. If you issued a laptop, cell phone, tablet, or any other computing assets, they need to be turned in. Once they are turned in, be sure to wipe them clean. You want to make sure that they are free from malware and sensitive information.
2. Passwords: Remove all active old passwords from corporate systems. Chances are you are using some kind of user authentication system or password manager so you can easily determine which applications and systems need to be secured.
3. Shared applications: Don’t overlook shared assets and applications. Different departments use different corporate applications and services, so it is likely that team members share passwords. Be sure to review shared resources such as the company database or cloud-based CRM systems. It is a good practice to change credentials and passwords for these types of systems periodically, but you definitely should do so as part of an offboarding procedure.
4. Third-party services: Also, be sure to secure contracted services from suppliers and things such as courier services that can be scheduled via the web. It may be as simple as changing an online password or you may need to take additional steps, but be sure you track outsourced providers that could be compromised.
5. Building security: Physical building security also needs to be considered. In addition to collecting key cards, you also might consider changing building access codes or biometric interfaces that provide access to the office or sensitive areas.
6. Review your checklist: Be sure to review your security checklist regularly, removing outdated security protocols and adding new security procedures for new systems and services. You should review your security checklist annually, if not more frequently.

Automating Deprovisioning

Maintaining enterprise systems security is an ongoing process, and it needs to be updated on an ongoing basis. Even with updated protocols, manual deprovisioning increases the risk of human error. Missing a single step can leave a gaping security hole that can be exploited later. Manual deprovisioning is time-consuming as well: 92 percent of those polled by OneLogin say they spend more than an hour de-provisioning past employees from company applications.

Automating deprovisioning processes offers some real advantages:

1. Automation ensures that all procedures are executed and nothing is overlooked. If a step is included in the automated process then it will be completed, eliminating any security holes.
2. You can create different deprovisioning procedures for different job functions. All you have to do is modify the workflow to deal with any variations or complex tasks.
3. Automating deprovisioning also means the process is immediate. Rather than taking hours or days to offboard an employee, you can update systems in one quick step.

To eliminate errors and streamline deprovisioning, consider outsourcing the deprovisioning process. Managed service providers (MSPs) like NSI specialize in systems provisioning as well as security, which means we have procedures and solutions to simplify and automate deprovisioning, eliminating the hassle of dealing with it internally and ensuring every step is completed.

However you choose to handle offboarding, your Connecticut business needs to be thorough when making sure you close the door on departing employees. Be sure to have a detailed inventory of secured assets and keep it up to date. Consider automating provisioning and deprovisioning of employees, or better yet, rely on an expert such as NSI to help you define and maintain deprovisioning protocols and handle the process for you.