Offboarding Staff Securely: Best Practices in the Extended Workforce Era

With unsupervised IT offboarding processes for exiting interns -- or any former employee, really -- may still be able to access and use SaaS applications and data from their previous roles leaving businesses unknowingly open to security risks.

When former employees aren't offboarded from every cloud application they used at a company, they can access all the information -- including business-critical and confidential material contained in those apps -- anytime they want, often without anyone at the company realizing it.

While IT leaders are often aware that this problem exists (76% of IT leaders agree or strongly agree that employee offboarding is a significant security threat) many don’t know where to start when it comes to solving it.

Uri Haramati co-founder and CEO of Torii, explains that compliance, legal, IT security and HR teams must work together to craft their offboarding policy, with IT taking the lead on developing an automated, secure, and reliable process.

He says that IT leaders are best equipped to root out cybersecurity threats when it comes to SaaS since their teams are responsible for managing roles and application access enterprise-wide, as well as for automating tasks and systems.

“They need visibility into all SaaS app usage and users, and a way to integrate offboarding with HR systems to trigger deprovisioning from all apps when employees, contractors and interns leave their positions or end their engagement with the company,” he says.

IT Leaders Play Critical Role in Secure Offboarding

Darryl MacLeod, vCISO at LARES Consulting, an information security consulting firm, agrees that IT security leaders play a critical role in creating a secure off-boarding policy.

“They are responsible for understanding the risks associated with improper off-boarding and for developing controls to mitigate those risks,” he says. “The leadership team is responsible for setting the overall direction for the company, and the IT security team is responsible for implementing and enforcing security policies.”

He admits the process can be complex and time-consuming, and many organizations lack the resources or expertise necessary to properly implement a secure off-boarding policy.

MacLeod adds that organizations may also not be aware of the risks associated with improper off-boarding, or they may underestimate the potential impact of a data breach.

“One of the top cyber risks from improperly off-boarding employees is that they may retain access to company systems and data,” he explains. “This could lead to a data breach if the employee tries to sell or misuse this information, which can lead to reputational damage if they share negative information about the company online.”

Other risks include social engineering or phishing attacks, which could include customer data, financial information, or intellectual property.

“If this data falls into the wrong hands, it could be used to commit fraud or other crimes,” he warns.

Workforce Decentralization Adds to Offboarding Complexity

Thanks to the decentralization of work caused by the pandemic, as well as how incredibly easy it is for anyone to purchase or use free cloud apps, employees are subscribing to SaaS applications at record rates.

Torii’s data shows that companies unknowingly add 10-20 new applications each month to their stack – most of which are procured by people outside of IT, without IT's knowledge.

“If IT does not know these applications exist, or that they have company data flowing through them, how can they possibly offboard employees from them?” Haramati asks.

According to the company's data, individual employees have access to about 30 different SaaS accounts on average, all of which need to be closed out when they leave the company for security, compliance, and cost-saving reasons.

“But without proper SaaS management and automation tools, IT is at a severe disadvantage,” he says. “Offboarding remote workers is no longer as simple as collecting hardware and conducting an exit interview – especially given that employees can be anywhere, accessing applications from virtually any device.”

MacLeod says the remote work revolution has made secure off-boarding more complex because employees can access company systems and data from anywhere in the world. “This makes it more difficult to revoke their access and ensure that all company data is removed from their devices,” he explains.

To address these challenges, organizations need to have a comprehensive off-boarding policy in place that covers all potential risks. They should also provide employees with information about how to securely dispose of any company data they may have on their devices.

“It is vitally important to protect sensitive data and company information from being leaked when employees leave the organization,” MacLeod says. “While some may see secure offboarding as a hassle, it is a necessary part of protecting your organization.”

Automation, Deprovisioning Key Offboarding Tools

From Haramati's perspective, the only way application offboarding can truly work and minimize cybersecurity risks is if it considers every single cloud application in the company (and every single person who has access to them) and enables centralized visibility to all this information.

The offboarding process must also tie into HR systems so personnel data is accurate and should be automated so staff bandwidth is never an issue, and nothing falls through the cracks.

Another best practice would trigger deprovisioning as soon as a person's tenure with the company ends, or their position at the company changes and they no longer require access to same applications and data.

“This month is the end of intern season for most companies, which means that leadership needs to offboard a significantly greater number of users from laptops, security systems and applications,” Haramati says. “Plus, with today's economic volatilities and company layoffs, there are more potentially dissatisfied former employees who can access corporate data.”

What to Read Next:

DevOps and Security Takeaways From Twitter Whistleblower Claims

How Cyberattackers Are Cultivating New Strategies and Reconfiguring Classic Gambits

Dealing with Disgruntled Employees