When They Leave: Offboarding Policies for Security

It happens. One of your customers’ employees moves on to a new gig. Whether it’s for more pay, more responsibility, or just a change of pace, they’re onto a new adventure.

Unfortunately, just because this employee left on good terms and seems a likely candidate for leaving a top-notch review on Glassdoor, you can’t take your chances. When employees leave—whether by choice or due to a firing or layoff—they represent a risk. They can use their old access and knowledge to steal data or customers or to place malware that just generally causes havoc.

As an MSP, you need to protect your customers from potentially malicious former employees. Today, I want to cover important offboarding policies to consider when employees leave.

When They Leave

As mentioned earlier, any employee who leaves—whether by choice or not—represents a risk. They have insider knowledge of your company, operations, systems, and data. While a sysadmin could likely do more chaos than a graphic designer, nearly everyone who leaves introduces some level of risk. And don’t forget—the employee doesn’t need to be malicious to potentially damage the company. A user might retain access on their phone to a single app they needed to use while working, have that account get compromised, then end up unwittingly causing a data breach.

So here are a few tips to help you reduce your risk:

• Plan ahead during onboarding: Preparing for an employee’s exit should start when they’re hired. Keep an inventory of all devices given to employees and a list of services the employee will consistently access. If you’re taking on a new client, you’ll need to do this inventory for their existing employees. Track all inventories in a central location like an RMM tool. Doing this could save you a lot of hassle down the line.
• Recover all equipment: When someone finally leaves, gather all equipment from them and make sure you aren’t missing anything from your inventory. This includes laptops, company-provided smartphones and tablets, and keys for the building. While this physical security measure often falls within the domain of HR, make sure to coordinate with them (or take the task on yourself with a site visit) to help prevent any unnecessary risks.
• Shut down accounts: Once someone leaves, start shutting down their account access immediately. If you followed the first step, you should have a list of services the employee can access, making this step much easier. You don’t want someone logging into the company social media account and making unfavorable comments that harm your customers’ reputation.
• Active monitoring: Beyond shutting down accounts, you’ll want to have monitoring in place to check for unauthorized access attempts after someone leaves. For risky employees with access to sensitive data, you should always have this level of monitoring in place to begin with. If someone knows they plan to leave or are worried about being laid off or fired, they may begin copying files or data well before they officially leave the company. Monitoring accounts for security issues like mass deleting or copying files or installing unusual software can help reduce the risk of them harming the organization before they leave.
• Training: It’s just as important to make sure that you train employees on good security practices and consistently remind them of those practices. They should know how important it is to avoid copying data outside of the organization and to avoid sharing passwords. Also, remind employees not to let ex-employees into the building unsupervised. They may trust the person, but that trust could be dangerous. An ex-employee could easily drop by for a quick lunch with a former coworker and end up doing harm while in the building. Just stay on the safe side and don’t leave anyone who isn’t a current employee unattended in the building.
• Don’t waver: Finally, it’s worth mentioning that you should remain consistent in your policies. Don’t make exceptions—if you can’t recover a device, try to wipe it remotely. If someone leaves but still contracts for the organization, create new accounts for them with new permissions (or at least reduce their permissions in the account). Double check that employees follow the rules on letting former workers back into the building. Just play it safe and make sure your team stays consistent.

Locking Down the Fortress

At the end of the day, when employees leave, you want to make sure they can’t harm the organization. Most employees are on the level, but it’s the few who aren’t that you have to worry about. But when you put the proper controls in place and take the right steps, you can drastically reduce the risk of a breach.

While it’s important to offboard your customers’ employees properly, it’s perhaps even more important to take the proper precautions for your own MSP’s employees. One bad employee could compromise multiple customers and seriously harm your business (and theirs). SolarWinds^® Passportal can help you during the employee offboarding process by allowing you to quickly shut off access to services for employees’ accounts. Additionally, it helps you enforce strong password policies in your MSP practice. Learn more by visiting the site today. 

Colin Knox is head of community engagement, SolarWinds MSP