Employee departures can be tough, especially if the individual was connected throughout your company’s online network. In today’s business environment, almost everything is done electronically, giving lots of opportunities for employees to make their mark on the company’s system. Making sure that past employees no longer have access to your work-related information after they leave the company can be a pain, but is extremely important in maintaining the security of your technology. Ideally, disconnecting employees that are leaving should be done in a timely manner and very carefully. Aside from all of the boring paperwork and technicalities of handling an employee who quits or is fired, the IT side needs mindful supervision and consideration.
Work Emails and Other Accounts
If a company leaves an employee’s accounts active and accessible to the employee after that employee’s departure, they are putting the company at severe risk. That former employee could still have access to their work email, which they could use to do something malicious like steal customers from your business, poison deals in the works, or spread private information about your company in a vengeful manner. Also, a more innocent but still important problem that could occur- clients who don’t know that a certain employee has left your business may still send emails to their email address where they will not be seen, leading to potentially lost deals and/or poor customer service. Being mindful of potential issues like these is crucial when dealing with an employee who is leaving so things don’t inadvertently fall through the cracks.
To avoid these issues, the passwords of their emails need to be changed as soon as it is possible so that the employee can no longer log in. You can also set up all of the emails sent to the former employee’s account to forward to a current employee’s email account rather than deleting the account in order to not miss important emails. Doing so allows you to ensure that all emails sent to that employee are still seen by someone active at the company and addressed appropriately. You can also set up autoresponders on their email, meaning that anyone who sends that account an email will receive an automatic response. In this response you can explain that the employee is no longer with your company and suggest another email to which they should send emails. The email account must remain active, but as long as the password has been changed, the former employee will no longer have access to any new activity.
Additionally, any sort of application that your employees log into for work purposes should follow similar protocols, particularly if it’s a web-based application that can be accessed from any computer; think of sites such as social media sites, your company website, recruiting applications, customer relationship or accounting sites, cloud-based file sharing, remote access tools, and so on. Any sort of account that the employee had access to needs to have its log in credentials changed, or that individual’s credentials removed, as soon as possible after the employee’s departure, including any banking, credit card, payroll, finance or loan accounts. And don’t forget to update your phone system extension tree or auto-attendant, plus remove voicemail log in, and update any fax or printer tracking programs. Other active employees in the company may still need access to the accounts to sort out future work endeavors, but the former employee should not have access to the account under any circumstances.
Other Considerations, Including Saving Money
You may think that if the former employee no longer has access to your building, there is no need to update your network with new or removed credentials. But, if your employee ever used their personal devices to log in to work accounts, the accounts may remain logged in on their device even if unused. Therefore, if that employee were to run across any malware that affected their personal device, your company security could still be compromised. The apps on their device are even more at risk if they aren’t up to date, which would likely be the case if they were sitting dormant on their device – the employee may not even remember that it is there. A cybercriminal could access their work account and possibly gain access or control of more.
Company cloud accounts are often utilized by employees today, where one individual often has access to several different cloud applications. If an employee still has access to that information after leaving the company, either they themselves or a hacker could potentially steal or delete important company information. Maliciously or innocently, sensitive data could be at risk if the account isn’t secured.
Plus, if you leave an employee’s status as active after they leave the company, you could accidentally be paying for non-active users for any service you use that charges you on a per-user basis. Most cloud-based programs charge this way. Old accounts could mean more unnecessary charges. Disabling a former employee’s access to cloud accounts or other remote login accounts could save you a bundle. Make sure to change the account password, as well as check the previous activity on the account to keep track of what they had been doing. You can then migrate the data from that account to another user and safely delete the former employee’s account.
Protecting Your Company and Assets
Some monitoring software could allow you to acquire information on the activity of the former employee’s account, and make sure no unusual activities occurred before their departure. Any sign of that employee attempting to access unauthorized data or accounts, install software, copy files (particularly in bulk), or any other unusual online behavior should be cause for alarm, and in some cases, even legal action.
The last, but certainly not least, step to remember is making sure all company property is returned before the employee’s departure. This includes any company owned laptops, computers, phones, tablets, etc. Make sure that the employee no longer has access to these items, and that the devices are secure once they are returned. Look out for malware or any other suspicious activity on these devices. This also means that access controls, such as passwords or key cards, to certain rooms or buildings should be changed or disabled following an employee departure. And, informing all staff that that employee is no longer with the company is an important step in protecting your company.
We all hope that relations with departing employees remain respectful, friendly and professional, and most of the time they do. But sometimes that’s not the case. And in either case, you just can’t be sure that the former employee will log out of their work accounts on every device that they ever used them on, or that they will leave the accounts alone once they leave the company, so taking care of everything you can on your end is an absolute must. Making sure everything is taken care of can be complex and confusing, however, which is why having a trusted IT partner is so important. Blue Oak Technology Solutions could help you with every step of this process to help avoid missed steps.
Read our previous post here: The Dangers of Recent LastPass Data Breach and Potential Spear Phishing
