IT Considerations When an Employee Leaves
The two most interesting times in any employee-employer relationship are the employee’s onboarding and departure. One is a time of excitement and opportunity; the other, a time of change and potential concern.
Employees leave for many reasons, but regardless of the reason, they have spent time in your company’s environment, where they have had access to some level of your IT systems. A basic problem companies have with IT and departing employees is an inherent trust that grows over time with our co-workers.
The most critical period in preparing for an employee departure, interestingly enough, is well before a worker is hired. The second critical period starts a few days before the employee leaves and extends to a few days past the worker’s departure.
Even before you hire a new person, several things should already be in place:
• IT onboarding checklists and policies should have been prepared and should be required for every new employee. These lists and policies should define the IT access levels the employee will receive (based on his or her new position in the company), as well as the IT facilities that will be provided (i.e., computer, mobile device, tokens, etc.).
• You also need to create employee departure checklists and policies. While these won’t be used when an employee begins work, you shouldn’t wait till the day of a worker’s departure to figure out what needs to be done to unwind that individual’s IT presence from your company.
The value of prepared lists and policies is twofold. First, well-established procedures prevent essential pieces of the IT puzzle from being overlooked. Second, and just as important, disgruntled employees are less likely to claim they were treated unfairly when put through a rigorous exit procedure.
Some tasks that should be part of your onboarding and departure procedures include the following:
• Make a list of IT assets the employee has in his or her possession (i.e., keys, computers, mobile devices and security devices such as tokens) and keep it current.
• Record login access to all internal IT systems with the employee’s login name. Don’t forget external systems, such as email, phone systems and bank accounts.
• Record login access to all external IT systems that the
employee can access. Don’t forget “softer” systems, such as company social
networks (i.e., Facebook, LinkedIn, Twitter). Many companies use a single login
for these social systems and share it throughout the company. As a result,
these systems are often hacked months after an employee leaves. Consider using
or change the passwords when an employee leaves.
• Inform both internal and external IT vendors of the employee’s departure to avoid unauthorized usage. Did the worker have access to external vendor systems? If so, your company would be liable for any problems created by your former employee.
• Check the employee’s computers and all computers to which the individual had access for key loggers and malware. These spyware systems are easily installed, almost never considered, and can be sending company information to a hacker on a daily basis.
• If the employee had administrator access to IT systems, check for alternative logins and backdoors that the worker might have set up for unauthorized access. There are many “hidden” systems and devices that require login access (i.e., routers, firewalls, intrusion prevention systems) that provide the basis of your perimeter (network) security. Be sure the departing employee no longer has access to these systems and devices.
As the foundation of your company’s IT security, you should work on a need-to access policy, not on a freedom of information approach.
Many companies provide far more IT access than an employee needs. The more access to IT systems a worker is granted, the harder it will be to sort out what threat that person might pose to company systems.
Companies should look toward the IT future (when the employee leaves), as opposed to providing blanket access. Always remember that an employee with system administrator rights owns your IT world—even after he or she leaves.
Employee departures should be an exercise in checklists and procedures. It is imperative that the departing employee’s IT presence in the company is entirely removed before he or she walks out the door for the last time.
Tell the IT department an employee’s departure date as soon as it is known. The complexity of unwinding an employee’s IT presence sometimes requires days to complete, and the staff to perform the IT removal may not be available immediately.
Trust is a wonderful quality, but don’t ever forget that it takes only one unhappy employee to wreak havoc on your business.
Alan Wlasuk is CEO of 403 Web Security, a Web application development company. He is a Bell Labs Fellow award winner with 18-plus years’ experience building secure Web applications.