Information Technology professionals are truly essential resources for the day-to-day operation of your business. It's critical that you build a strong team of experts, whether insourced or outsourced, and that they be managed and supported effectively. At the same time, IT personnel are not the only employees who may have significant access to company IT resources. Email accounts, document files, enterprise applications and more are all typically exposed to some extent with virtually any employee.
Although we like to think that most people are honorable and would not engage in nefarious actions upon being terminated, we also know that the risk of such actions is higher than it should be. Specifically, nearly a quarter of small and middle market companies have indicated that threats from ex-employees are of greater concern to them than outside attacks, hacks or phishing attempts.
That's why properly managing each employee's IT access is so critical, and that begins not when you plan to terminate them -- but when you hire them.
For example, using provisioning software and single sign-on (SSO) tools can allow you to directly turn on and off some or all online access points for a given employee instantly. This is essential to rapidly onboarding them, and it's critical for offboarding as well.
Another valuable resource is structured use of two-factor authentication (2FA), which is typically tied to a person's cell phone number in the consumer world. Of course, we don't want that to be the case in the enterprise, so companies such as Cisco Duo have developed systems that allow for controlled 2FA that is managed centrally within the company.
Moving on from the process of onboarding a new employee, we need to consider the appropriate steps for offboarding an employee -- whether their departure is voluntary or involuntary. Keep in mind that even a voluntary departure may not be without risk, so all departures should be treated similarly.
Key steps to take include the following:
1. Make sure to have a written procedure for the termination process so that there is a checklist with approval steps in place.
2. It must be clear who is authorized to determine that an employee will be terminated, or to accept an employee's voluntary resignation.
3. The IT department or team needs to be notified prior to the actual termination activity taking place, and they should be told the date and time of the meeting (in cases of involuntary termination).
4. Yet again, IT should be notified formally when the termination meeting is actually beginning. It is during the termination meeting that IT will actually disable the individual's access to systems, software, applications, email, file servers and more. Also, IT should include physical assets in this list (laptop computers, building key fobs, access passes).
5. If the physical assets are to be collected during the meeting from the employee, then it is recommended that the manager leading the meeting be given a checklist and systematically review and check in each physical asset.
6. After these steps are completed, the now-terminated employee should be walked to the door and sent home.
It is understandable that employees may have personal information commingled with business data on company-issued devices or in company-controlled accounts. If the terminated employee asks about this, they should be told to document what information needs to be retrieved, and assured that the company will do its best to retrieve the information on their behalf in a timely manner.
After these steps are completed, it's also important to make sure that all access codes or PINs are updated, replaced, revised or reconfigured so that the terminated employee does not have lingering access to company systems or facilities.
By taking these steps, you can be confident that your team has taken appropriate precautions and that your business is well-protected from insider threats associated with employee terminations, through effective actions taken both pre-hire and post-termination.
Want to learn more about how you can better protect your company's valuable technology assets and resources? Contact the team at Dymin today.