Top risks and best practices for securely offboarding employees

Employees won’t work for the same organization forever and dealing with their departures is just part and parcel of business. But the security risks posed by departing staff can be significant. Without secure off-boarding processes, organizations expose themselves to a variety of cybersecurity risks ranging from the innocuously accidental to the maliciously deliberate.

High turnover rates and layoffs only add to the offboarding security pressures, with potentially large numbers of employees exiting organizations, sometimes at short notice. CISOs, security teams, and relevant businesses functions should regularly review their offboarding processes to pinpoint potential risks and vulnerabilities, addressing key factors to ensure offboarding strategies remain secure amid evolving cyberthreats and workforce patterns.

Here are some of the biggest risks outgoing employees pose to organizations, the challenges CISOs typically face in securely offboarding workers, and some tips that can help make offboarding strategies more resilient. 

Top employee offboarding risks

Data theft 

“Easily one of the biggest and most commonplace data security risks of outgoing employees is data theft,” says Jaya Baloo, CSO at Rapid7. “Employees may either deliberately or accidentally take corporate information with them, whether it’s self-developed code which may constitute corporate intellectual property, data that would be considered company confidential, or even customer data.”

The most well-known example is the classic tale of a salesperson leaving and taking the company’s customer list with them, says James Bore, a security hygienist and consultant. “Even where contractual clauses try to prevent this, it can be extremely hard to prove, and no one wants to get into the legal cases that are involved.”

Disgruntled leavers becoming malicious insiders

Employees who have been given a departure date can become disgruntled and develop a grievance against the organization, making them malicious insiders, Paul Holland, principal research analyst at the Information Security Forum, tells CSO. The risk here is compounded as the employee knows they are leaving before anyone else in the organization, which could enable them to perform malicious acts such as data extraction, data manipulation, data destruction, or installing malware/backdoors before anyone has any suspicion or realizes what is going on.” This could potentially go on for months before they eventually leave.

Staff working during their notice period are also often less attentive to their work and more prone to making mistakes that could disclose data. “Employees using multiple applications can quickly experience password fatigue, using easily guessed passwords, sometimes stored in unsecure locations,” says Omdia senior analyst Don Tait. When they depart, these threats can leave the organization open to attack, and vulnerable to delayed discovery and response.

Shadow IT, SaaS usage

Shadow IT and information systems that aren’t part of a business’s identity and access management (IAM) architecture are a huge risk to successful, secure offboarding, says Richard Jones, global CISO at Orange Cyberdefense. This is magnified for cloud and SaaS systems/applications that don’t require specific network access or physical presence in an office, with IT teams often unaware of the extent of employees’ SaaS usage. “Without being part of an IAM architecture and or zero trust approach to access management, these cloud systems will inevitably lead to access beyond the termination of employment.”

Another challenge is managing software asset licenses. If employees aren’t properly offboarded from cloud system licenses this can lead to excessive IT costs as well as security risks, as licenses are often changed per user, per month, Jones says.

It’s not just the risks of outgoing employees themselves that CISOs need to consider. “In most cases, mass layoffs cause remaining employees to be concerned about their job security, which can increase insider threats and introduce security gaps caused by unintentional negligence,” says Mohan Koo, CTO at DTEX Systems.

IT and HR out of sync during offboarding

CISOs and their organizations face diverse challenges in securely offboarding employees. “This is mostly because the process where HR needs to notify IT teams is not always foolproof; it is often complex and not completed in a timely fashion,” Baloo says.

This can go wrong because teams don’t appropriately understand the level of risk, which is different for every departing employee, becoming more complex when larger numbers of employees leave at the same time, she says. “CISOs also need to tread carefully and make sure privacy and compliance concerns, which vary globally, are adhered to when offboarding employees.”

Access not removed in a timely, thorough manner

The biggest challenge CISOs and their businesses face is removing access in a timely and thorough manner, says Duncan Casemore, CTO and co-founder of HR technology firm Applaud. “It can be tough for businesses to map out all the permissions an employee has once had, especially for those with longer service or who had administrative responsibilities.”

Dispersed users and the increased number of remote workers add to difficulties, accelerated by the COVID-19 pandemic and people working from home. “This presents challenges for CISOs and organizations around identity, authentication, and access. Employees will have multiple logins, which need to be stored, secured, and updated in the event of a resignation,” Tait says.

It’s also a tremendous challenge if entire critical infrastructure segments are tied to an outgoing individual, says Alexander Applegate, senior threat researcher at DNSFilter. “For example, all of the automation scripts that keep a key system running smoothly are often a tangled nest of dependencies where a specific set of credentials or requirements are hard-coded.” This is because a development effort was just a quick fix that was neither robust nor held to configuration management standards.

Data location and sprawl is another consideration for CISOs to think about. “CISOs need to factor in the varieties of data that are now being managed — some of this data will be sensitive and confidential,” says Tait. The data may be stored without encryption, locally on unsecured home devices and the connections may also use home Wi-Fi. CISOs may have to deal with poor visibility of data, too. “It is becoming harder to keep track of external sharing and permission settings set by departed employees.”

Best practices for offboarding employees

Create a strong onboarding process

If you’re only activating security measures at the point of an employee’s departure, you’re probably too late. “Secure offboarding of an employee arguably begins at the point of induction — or even at signature of an employment contract,” says Michelle McCarthy, head of Asia Pacific at information security compliance firm ISMS.online.

Onboarding is the inverse of offboarding and is an opportunity to capture an inventory of physical and digital assets the new employee has access to. It’s also a chance to set boundaries around use of data within the business and stress the importance of keeping systems up to date, Casemore says.

Organizations must implement a thorough process for onboarding new employees that includes managerial approval for accounts and access to sensitive systems or data. The process should include steps to ensure that access is reviewed periodically and that any changes in necessary permissions are communicated, documented, and actioned promptly, says Dave Stapleton, CISO at CyberGRX. “Without these processes in place, terminations will inevitably be less efficient, and will likely introduce the risk that access is not properly deprovisioned.”

Engage in proactive, interdepartmental collaboration

As layoffs continue to increase insider risk for enterprises, proactivity and collaboration between HR, IT, and other key stakeholders is becoming more critical than ever before. “To prepare for potential risks, enterprises should designate a specific committee that is notified of impending layoffs as far in advance as possible to prepare for the potential fallout,” says Koo. This will push key stakeholders to proactively think about how they can stop risks from turning into threats – whether through education, awareness, or policy change. It also allows for alignment with HR and legal teams in respect of what is and is not possible to do with employees who are leaving, from a contract and legal perspective.

HR and IT are fundamental to designing processes that are scalable and automated across the wider business. This allows for timely and thorough removal of an employee’s access to systems and data, and removes the risk of human error, says Casemore.

Ensure clear visibility of employees’ SaaS usage, permissions

With SaaS booming, proper visibility into all SaaS usage of departing staff is increasingly important, and without knowing which SaaS applications have been used and granted permissions into company data by a departing employee, you cannot disconnect them. “SaaS usage is a unique case on the one hand, yet highly common on the other hand. Most companies today have all or most of their assets in the cloud. Trouble is, most of the employee’s SaaS usage goes completely unnoticed by IT and security teams,” says Wing Security’s head of threat intelligence, Yoav Kalati. Put together a list of all cloud/SaaS platforms utilized by your organization and what access levels employees have, and then aim to continually keep this up to date.

The emergence of a technology called cloud permissions management (CPM) — something Gartner refers to cloud infrastructure entitlements management (CIEM) — can be useful here. It discovers all the permissions to cloud assets that a given identity within an organization has accumulated, enabling the company to curtail or remove them as it sees fit, Tait says.

Monitor for unusual, risky behavior of outgoing staff

User entity behavioral analytics (UEBA) and monitoring is one way to mitigate the risk from an outgoing employee, with unusual patterns or activity spotted and then be addressed, says Holland. “A change in pattern of downloading tranches or data would likely flag that something odd was happening and could be dealt with.”

Organizations should continue to monitor activity for at least a few weeks after the individual’s departure to stay ahead of potential threats or data loss scenarios. “Establishing a real-time forensic audit trail will offer the transparency and oversight needed to develop more effective and efficient threat management programs without infringing on employee privacy,” says Koo.

Retrospective monitoring can also be useful but needs to be included in contracts to make sure there is permission granted for the process. Once someone hands in their notice, then a retrospective check of activity, downloads, or emails should be reviewed to see what may have occurred and identify any potential risks, Holland says.

Secure corporate assets, devices, credentials

Securing corporate assets that have been in an employee’s possession throughout their tenure may be challenging in the era of hybrid work, but it is highly important in tackling offboarding risks. “There are instances where devices are never returned to an organization and aren’t fully wiped of contents associated with the business. The same goes for other removable assets containing corporate IP,” says Koo.

Retrieve all the departing employee’s devices and terminate any BYOD network access that may have been permitted. Enforcing device lockdowns on file uploads to personal webmail, file-sharing sites, and USB ports ahead of layoffs is a great way to curb the potential data loss that can occur after announcing a reduction in headcount.

Overlooking this can result in sensitive information being taken and utilized by competitors. It could also result in assets being utilized for nefarious activities such as torrenting, pirated media, and Bitcoin mining. Turning off single sign-on (SSO) can stop users gaining access to their applications and devices, while any privileged account passwords should be reset, and main directory account access should be removed.

It’s also important to keep track of shared accounts and credentials between the employee and other members of the organization to ensure passwords are updated immediately, Koo says.

Handle the leaving process delicately, with transparency

Delicate, tactful handling of any leaving process can go a long way to limiting some of the risks posed by departing workers. Whether someone’s been with the company for a week, or a decade, potential is there for a poorly handled offboarding process to turn them from the friendliest employee into a genuine threat out for revenge. “The way to deal with this is very rarely to layer on security, instead you need to ensure clear communication, transparency about reasons for things, and work to make the offboarding process a positive and collaborative one,” Bore says.

A common practice is to make secure offboarding abrupt, but this can lead to internal gaps and, more dangerously, disgruntled staff who feel hard done by or rushed out the door. “If the response to someone handing in their notice is telling them to pack their desk and escorting them out of the building, you’re applying good security practice in theory, but in reality, you may be creating a threat. Offboarding needs to be handled delicately and appropriately to the context,” Bore says.

It’s good to encourage HR to conduct exit interviews with all departing employees to gain insight into the employee’s attitude and understand whether or not they pose potential risk to the organization, Bayo says. “Finally, make sure that employees are well trained and educated in having good outgoing data security habits and understand that they are the first line of defense to protect the organization.”