Departure of an employee: what are the security risks and how to prevent them?

Nowadays, most recruitment processes include an onboarding stage, an essential stage aimed at facilitating the arrival of a new employee within the company. This presentation generally includes a cybersecurity component including a presentation of the company's security policy, a reminder of the IT charter and a cybersecurity awareness program and reminder of good vigilance practices .

But what about when an employee leaves? Offboarding processes are generally less well provided when it comes to cybersecurity. However, the departure of an employee is a key step for the security of an organization, and this at several levels. What are the security risks linked to the departure of an employee, in particular during conflictual offboarding? How to prevent these risks?

Offboarding originally falls under the vocabulary of human resources . This word refers to the procedure for the departure of an employee from a company, both in the case of a voluntary departure and a forced departure. Offboarding is opposed to onboarding, a stage in the integration of new employees within the company.

Far from being a simple checklist of actions to be carried out, offboarding makes it possible to calmly manage the departure of an employee, through several key actions, such as the departure interview, the delivery of professional equipment (IT , in particular), the cut off of computer access ... In the context of the recruitment difficulties that many sectors are currently experiencing, HR departments agree that the departure process is just as important for the employer brand as the onboarding process.

The Importance of Offboarding for Business Security.

Beyond the HR aspect alone, IT offboarding is of strategic importance for the security of a company, especially in the case of employees with access to sensitive data or confidential information.

While some thefts of data by former employees can be qualified as accidental (some people not being aware of doing something illegal and dangerous from a computer security point of view), other actions are clearly intentional . The news regularly echoes this. In 2018, a former Tesla employee was charged with sabotage and theft of confidential images.

Immediately revoke access and deactivate accounts

One of the first actions to be taken following the departure of an employee is to immediately deactivate the various accesses to the IT tools available to him through an access directory (Active Directory, LDAP) or individually if the service does not is integrated into any directory :

• professional email,
• Office suite,
• Data storage spaces,
• Intranet,
• Collaborative Messaging,
• professional social networks,
• business applications, etc.

Most of these tools are now hosted in cloud mode and therefore accessible remotely. If these different accesses are not revoked when the employee leaves, the latter can still access them and potentially make malicious use of them (theft or deletion of data, for example), likely to harm the company.

During the offboarding process, the service IT must also ensure that the employee returns all the terminals and data in his possession ( laptop and professional smartphones, but also possibly USB keys, external hard drives, etc.). In order to avoid the departure of the employee with the material of the company, it is judicious to arrange an appointment.

These two steps (deactivation of accounts and return of professional equipment) are intended to protect sensitive company information and prevent unauthorized access to its data.

Take advantage of the departure of an employee to go even further?

Access management is far too important to be dealt with only when an employee leaves. This moment can be an opportunity to review the accesses of other employees by applying the principle of least privilege. The goal? Ensure that users have limited access rights, linked to the missions incumbent upon them within the framework of their functions.

The protection of company systems and data must be the subject of continuous attention such as in the identification of non-compliant behavior ( Shadow IT ) or the storage of company data on personal accounts in the cloud . These actions ensure that all required measures are in place to protect company systems and data.

What are the risks of revenge?

In the case of a conflicted departure, there is always a risk that the disgruntled employee will try to harm his former company, whether that means stealing and then disclosing confidential and/or sensitive information or causing damage to company systems. Stolen data can be published on the Internet, disclosed to competing companies or simply sold.

These data leaks are common and can cause a lot of damage to the company: reputational damage, legal consequences for the company that failed to protect the data for which it was responsible, etc.

How to prevent these risks?

The most obvious way to prevent these risks is to create and maintain a positive work climate and open communication with departing employees, in order to avoid conflict situations. Communication must also be conducted with other employees to inform about future departures.

The cyber component of offboarding must be handled jointly by the HR and IT teams, by formalizing a procedure. Too often, IT teams are unaware (or too late) of departures within the company. Creating documentation relating to the offboarding process (risk assessment, implementation of security measures) is nevertheless a necessity.

When this preparation is not sufficient, additional security measures can be put in place to protect the company's data in the event of a conflicting departure. For example, these may be alerts when an employee copies a very large amount of data, moves a confidential file, transfers an abnormal number of professional e-mails to their personal mailbox or even makes an access request when that he left the company.

Finally, the prevention of internal threats requires the implementation of an access management policy limited to what is strictly necessary, both concerning the management of identities and access (IAM, Identity and Access Management) and the management of privileged access . (PAM, Privileged Access Management ). There is no point in letting certain employees access sensitive data if this is not justified by their function.

IT teams already have a lot to do with cyber threats coming from outside. Might as well do everything to neutralize threats from revengeful ex-employees. Various security measures make it possible to secure offboarding and prevent the risk of revenge from a disgruntled employee: revoke access, recover company terminals and data, set up security alerts. Addressing the issue of offboarding from the perspective of cybersecurity is far from being anecdotal. Data protection and company reputation are at stake.