Avoid access blunders when offboarding employees
When people quit or are terminated, it's up to HR to make sure that they no longer have access to your organization's digital, financial and physical resources. Make sure your employee offboarding processes don't skip over these major security risks and potential liabilities.
Security – both physical and digital – is a growing challenge for organizations of any size. As the news too often reminds us, disgruntled employees can expose your company to potential data liability, cyber crime, financial trouble and even, in rare but tragic cases, physical danger.
It’s a weird, strange world out there, and human resource professionals know that only too well.
Let’s talk about a known trouble spot for HR and IT departments alike – the employee offboarding procedure. We all know the old trope of security escorting the disgraced employee out the door as he clutches his cardboard box full of family photos and dirty mugs.
In real life, it doesn’t end there. When an employee leaves, they could also leave behind gaping security risks and potential liabilities – digital, financial and physical – that are possibly overlooked in your offboarding process.
Let’s break it down.
Limiting financial exposure
Collecting office equipment – tablets, laptops, company issued phones and the like – is of course part of the process too. So is asking them to hand back any company issued credit cards.
But just because you have that card in hand, don’t assume it ends there. The offboarded employee may have used it for ongoing subscriptions, have orders pending, or even try to use it online after the fact. Remember, they don’t need the actual card to book airline tickets to Cozumel – if they have that card saved in their Travelocity account, you could have a problem. In this sense, solutions for virtual credit cards for business, like those offered by Spendesk, can be extremely helpful, as you can revoke accounts with just a few clicks.
The Association of Certified Fraud Examiners’s 2018 Report to the Nations found that payment tampering, billing and theft of noncash assets were the most common and costliest types of fraud schemes that organizations sustained last year.
Source: Association of Certified Fraud Examiners
HR needs to be ready to close any access the person has with banks, online payroll accounts and other financial systems. Simply removing their access to their corporate email (while it’s definitely one of the first things you need to do) is not enough in the age of BYOD.
Don’t overlook any external stakeholders, either. If the employee interacted with key customers or vendors, these people should be notified of the change in status and told whom to contact in the future. Make it clear that the employee who is leaving has no authority to do business with them on your company’s behalf. Ask if there are any orders pending, and be sure to review them carefully.
Closing the digital gaps
A growing threat that too often flies under the radar during offbarding is employee access to software as a service (SaaS) applications.
When an employee leaves, it’s far too easy to overlook what access they have to web apps. Simply closing their work email account isn’t a surefire solution. Especially as more employees are using their own devices for work (the so-called “Bring Your Own Device” movement, or BYOD), they may have access to those apps with a personal account that stays open after they are locked out of the work email.
According to 2018 Gartner research, 75% of companies will be running exclusively on Software as a Service (SaaS) apps that are managed and hosted on IaaS (infrastructure as a service) and PaaS (platform as a service).
Gartner reports that SaaS remains the largest segment of the cloud market; revenue is expected to grow 17.8 percent to reach $85.1 billion this year, and there’s no foreseeable downturn. With good reason too; SaaS can help control software costs, boost productivity, and make remote work possible.
But because SaaS products are largely selected and adopted on a self-service basis, the IT department has lost visibility – and therefore control – over who is using these apps.
Finding and shutting down those digital access points is one of the more crucial (and at the same time tedious) tasks for HR and IT. You can’t revoke what you don’t know. A SaaS management tool like Torii can help you find and eliminate those gaps, by providing at-a-glance info on who is using what app, and an easy way to remove user access, using automated workflows.
Shutting the physical gaps
Now we come back around to the poor guy walking out the door with his cardboard box. Keys or key cards must be collected, and the Facilities team must be notified.
Don’t overlook mobile keys; many companies are moving to phone apps instead of key cards. The access must be shut off at the source as soon as the person leaves.
Please note: If you believe someone poses a true physical risk, follow your written HR procedures, talk to a security expert and get your legal department involved.
Get serious about an offboarding process
With employees quitting in record numbers, HR teams are facing more challenges from more directions, than ever. According to U.S. Bureau of Labor Statistics data cited in a report from Mercer, it’s a great time for job seekers.
Image source: U.S. Bureau of Labor Statistics
The best way to keep your sanity and protect your company is by implementing formal offboarding procedures and utilizing the right tools to manage it all. Each department in your organization, from HR, IT and Legal to Facilities, Sales and Marketing, has specific touchpoints with employees. Those touchpoints turn into gaping holes once they leave.
Make it a practice to notify every department when someone leaves; each department will have their own procedure that kicks.
As SaaS becomes more firmly entrenched as “the way we work,” the problem of limiting access and vulnerability is only going to grow too. Closing those gaps means taking back control, and that all starts by establishing a procedure that’s built around visibility.