Ex-Employees : Offboarding Checklist

Here we look at why organisations need to have an effective employee offboarding procedure in place and suggest a checklist for you that could form the basis of this procedure. 

Why? 

Members of organisations inevitably change over time for various reasons, perhaps to relocate to another job and move away, or they may be asked to leave, or for many other reasons. However, when employees or contractors/third parties leave a business and there is no effective ‘offboarding’ plan or system in place, they are likely to still have access to your organisation’s systems and data through old passwords and access-rights. Like it or not, this makes them a potential threat to your business.  

Creating an effective offboarding plan and process that can be actioned (immediately) as the employee leaves, therefore, can protect you and your clients, maintain the security plus help ensure safe continuity of the business, whilst help to fulfill legal and stakeholder responsibilities.  

Such a plan and process can start with a simple checklist, although you may find it ends up being longer than you first thought. With this in mind, we take a close-up look at employee offboarding and provide a summary offboarding checklist that you may want to use to help with your own offboarding process.  

What Kind of Threats? 

Examples of the kinds of potential threats that an organisation may need to guard against upon employee exit include: 

– Damage, theft, and disruption. Departing employees can cause significant harm by stealing data, attacking company systems, or disrupting network operations due to lack of proper security measures. 

– Insider threat. Ex-employees with active access rights can leak sensitive information, engage in industrial espionage, extort the company, or steal customer data. Insider threats account for a significant portion of data breaches. 

– Data exfiltration. Departing employees might take sensitive information like client lists or intellectual property with them (intentionally or unintentionally), leading to competitive disadvantages and legal issues. 

– Social engineering. Ex-employees may manipulate current employees using their insider knowledge to gain unauthorised access, often through phishing attacks. 

– Sabotage. Disgruntled former employees might delete important files, corrupt data, or disrupt services, causing operational and financial damage. 

– Legal and compliance risks. Failing to revoke access can lead to breaches of data protection regulations, resulting in legal penalties and reputational damage. 

– Continuity of business operations. Inadequate access control can disrupt business processes, especially if the ex-employee held key roles or knowledge, leading to operational bottlenecks. 

– Financial fraud. Ex-employees with access to financial systems may commit fraud, manipulate accounts, or process unauthorised transactions, impacting the company financially. 

– Loss of customer trust. Compromised customer data due to inadequate offboarding can erode trust, damage the company’s reputation, and lead to business losses and legal actions. 

How Big Is The Problem? 

A 2023 PasswordManager.com (US) survey found that 47 per cent of 1,000 workers admitted to still using their employers’ passwords even after leaving the company, with 58 per cent of them saying this was because the passwords had not changed since they left the company. Interestingly, 44 per cent said someone still working for the company shared it with them! 

Also, a UK government Cyber Security Breaches Survey 2022 revealed that while many UK businesses are aware of the risks, implementation of robust off-boarding procedures remains inconsistent. For example, only 36 per cent of businesses had formal cyber-security policies, and even fewer medium-sized enterprises reviewed these policies regularly. 

Examples 

Some high-profile examples of organisations who have suffered data breaches at the hands of ex-employees include: 

– In 2023, Tesla reported that a significant data breach had been caused by two former employees who leaked personal information of over 75,000 individuals, including employee records and other sensitive data.  

– Also in 2023, a former RAC employee was found guilty of stealing personal data of road traffic accident victims. The ex-employee had accessed and photographed sensitive data, which he later attempted to sell. 

– Back in 2016, broadcasting watchdog Ofcom suffered a large data breach when a former employee downloaded around six years’ worth of third-party data before leaving for a new job at a major broadcaster. The data was then offered to the new broadcaster who informed Ofcom. 

Legal Responsibility 

The examples above highlight one important reason for closing any potential holes in security during an employee exit which is the legal responsibility under current data laws. The United Kingdom General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018 (an updated version of the DPA 1998) are the primary legislative frameworks governing how businesses or organisations in the UK should manage the protection and handling of data. Within these frameworks, the data controller (i.e. your company or organisation) holds the responsibility for data matters. 

Protecting this data is crucial not only to safeguard the individuals whose data the company holds but also to protect the company itself from legal penalties, reputational damage, and other consequences. In addition to personal data, businesses must ensure the protection of other sensitive data such as financial records, intellectual property, and details about company security controls. 

Procedure 

These threats and responsibilities demonstrate that businesses and organisations need to address them as part of due diligence. This can be done by developing a built-in company procedure when an employee leaves (offboarding). 

The Checklist 

This company procedure could be built around a checklist / a kind of security audit that covers all the main areas from which leaving employees need to have their access revoked and which plugs any potential loopholes. The checklist could include, for example: 

1. Notification and Planning 

– Inform the IT security team and relevant departments about the employee’s departure, especially if the departure is contentious. 

– Plan the off-boarding process and assign responsibilities. 

2. Email and Communication Management 

Emails are a window into company communications and operations and a place where sensitive data is exchanged and stored. It is also a common ‘vector’ for cyber-criminals. Therefore, Revoke access to company email accounts. 

– Set up auto-forwarding and out-of-office replies with new contact details. 

– Revoke access to other email programs and mass mailing services (e.g. Mailchimp). 

3. Access to Systems and Networks 

Revoke login details and permissions for company computer systems and networks. 

– Disable VPN and remote access accounts. 

4. Customer Relationship Management (CRM) Systems 

– Revoke login access to CRMs containing customer and stakeholder data. 

5. Collaborative Working Apps and Platforms 

– Remove access to cloud-based platforms and collaboration tools (e.g. Teams, Slack). 

– Ensure that the employee cannot access shared working groups. 

6. Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) 

– Deactivate any 2FA or MFA devices or apps used by the employee. 

7. Privileged Accounts 

– Revoke access to any privileged accounts, including admin rights and root access on servers and databases. 

8. Physical Security Measures

– Retrieve all company-related keys, pass cards, ID cards, parking passes, and similar items. 

– Update physical security systems like alarm codes and biometric access. 

9. Return of Company Assets 

– Ensure the return of all company devices, including laptops, phones, and tablets. 

– Keep a record of which devices were allocated to the employee. 

10. Data and Document Access 

– Retrieve any backup/storage media (e.g. USBs). 

– Transfer or delete any items stored in separate folders on the employee’s computer. 

– Conduct a thorough audit of the employee’s digital footprint within document management systems. 

11. Password Management 

– Change any passwords shared with multiple members of staff. 

– Implement a regular password-changing policy as a fail-safe measure. 

12. Financial Security 

– Change PINs for company credit/debit cards authorised for the employee’s use. 

13. Social Media and Online Presence 

– Remove the employee’s email address and extension from the company website. 

– Update company social media to reflect the departure. 

– Ensure the ex-employee is not featured in the business’s online estate. 

14. Legal and Compliance 

– Ensure the off-boarding process complies with legal and regulatory requirements. 

– Remind the departing employee of their obligations under non-disclosure agreements (NDAs) and data protection laws during the exit interview. 

15. Monitoring and Follow-Up 

– Implement monitoring to detect any unusual activity associated with the former employee’s accounts. 

– Regularly review and update access review processes to adapt to organisational changes. 

16. Customer and Client Notification 

– Notify clients and customers of the change and provide new contact details to ensure continuity. 

17. Physical Document Retrieval 

– Retrieve any physical documents (e.g. handbooks) that could contain sensitive information. 

By following a comprehensive checklist like this one, you can effectively manage the security aspects of employee off-boarding, ensuring that all potential loopholes are addressed, and that the company’s data and resources remain secure. 

BYOD Threat? 

Where companies offer ‘Bring Your Own Device’ (BYOD) meaning that employees can bring in their personally owned laptops, tablets, and smartphones to work and use them to access company information, this could pose an additional level of threat during employee exit.  

This threat may be lessened where companies opt for different types of BYOD such as corporately owned/managed, personally enabled (COPE), choose your own device (CYOD), personally owned and partially enterprise managed or personally owned with managed container application.   

In any case, BYOD should always be accompanied by clear policies and guidance as part of effective management. 

Ex-Employee’s Legal Responsibilities 

It should be remembered that, although the business / organisation has legal responsibilities to protect company data, the ex-employee is also subject to the law for their behaviour. This is of particular importance where an employee, who has dealt with the personal details of others in the course of their work, leaves or retires. For example, the ICO prosecuted a charity worker who, without the knowledge of the data controller (Rochdale Connections Trust), sent emails from his former work email account (2017) containing sensitive personal information of 183 people. Also, a former Council schools admission department apprentice was found guilty of screen-shotting a spreadsheet that contained information about children and eligibility for free school meals and then sending it to a parent via Snapchat. 

What Does This Mean For Your Business? 

An effective offboarding procedure is essential to ensure that when employees or contractors leave an organisation, they pose a significantly reduced security risk. Without a proper system in place, departing employees may retain access to sensitive systems and data, which can lead to significant security breaches. This not only endangers the privacy and integrity of company and client information but also exposes the organisation to potential legal liabilities and reputational damage. 

Implementing a comprehensive offboarding checklist is really a matter of due diligence and helps to systematically address all potential vulnerabilities. Such a checklist ensures that all necessary steps are taken to revoke access to company emails, systems, and networks, and to retrieve company assets. By meticulously following these steps, businesses can prevent former employees from inadvertently or maliciously accessing confidential information. 

A well-structured, regularly updated checklist, therefore, facilitates clear communication among various departments involved in the offboarding process, ensuring that no critical task is overlooked. This organised approach can help maintain the continuity and security of business operations, safeguard the company from potential threats and ensure compliance with data protection regulations. A detailed offboarding procedure is a crucial element of any organisation’s overall security strategy, protecting both the company and its stakeholders.