Security Considerations When Employees Leave
With an increase in the use of external websites which store data, personal mobile devices being used for work and the rising trend of employees performing their duties outside the traditional workplace model – you need to ask yourself, are you doing enough to ensure the security and confidentiality of yours and your customer’s information?
When an employee leaves a business, it is imperative that a process is followed to de-provision access to systems they may have used. Here a problem arises – it is likely that the Company has not kept sufficient records of what information the now ex-employee could access, and as such will likely miss one or more areas that the employee can access.
As an example, have a look at some access rights that an employee may begin with and gain over their tenure with your business:
- Internet Access
- Internal WiFi Access
- Domain Access
- Security/Alarm access codes
- Website Passwords
- Social Media Passwords
- Credit Card Details
- Car Keys
- WiFi access
- Stored login information on personal devices
- Cloud Account login information
- USB backups held offsite by that employee
- VPN Details to connect to the internal server
- Knowledge of other employee’s usernames and passwords
More information given in confidence to an employee results in more work that needs to be done to remove that employee, leaving the whole termination process liable to human error. It is vital to ensure that employee access to systems and data is de-provisioned completely and on-time to protect your business.
Simple Steps: Begin with provisioning and recording
Once a decision has been made to hire an employee for a certain role; access rights, hardware requirements and external access should be determined prior to their start date. This information needs to be recorded consistently, and an approval process needs to be in place for any security related process or device.
Using a hardware or software solution, you should enable enough security to prevent users from using their own file sync solutions (e.g DropBox, Box etc). The same applies with USB devices, implement hardware or software restrictions to ensure that USB’s can only be used with the right approval.
If users have private work information or data on a mobile phone, implement a device management system that supports the remote wiping of data on mobile devices – this includes tablets. An extra measure would be to encrypt laptops and hard drives to ensure that no sensitive information is lost when a device is lost or misplaced.
Simple Steps: Employee leaving
Once an end-date has been determined for an employee, they should be put into a process to have their rights and access removed – starting with a review of your documentation on their current access. Once their end date is reached, the removal should begin almost as soon as they are out the door.
Retrieve any hardware and mobile devices that belong to the business, change passwords for accounts that didn’t have unique logins for each user (e.g social media), remove the users security access to the building (change the pin code if necessary) and if the office WiFi uses a single password, have this changed. If the employee had a credit card, ensure it is cancelled completely and they are removed from the account.
Simple Steps full stop
To reduce the impact of an employee’s departure, it is beneficial to implement policies and access methods that reduce the need for hands-on changes which can affect other staff (password reset’s, access code changes, etc)
Our tips:
- Ensure that each user has their own personal login where possible, including domain access, systems that are used and websites.
- Ensure that important financial information is never given out to employees. If they do have a credit card, it should be on the business account but under their details, with its own limit.
- Limit access to USB ports and other ports that can transfer information, ensuring that employees do not have installation rights.
- All employees to understand the importance of not sharing usernames and passwords
- Rather than using a WiFi password to authenticate wireless users, this should be done by MAC address with approval, keeping record of who devices belong to.
- Do not give any employee access to social media sites. This should be controlled by one person only and when that person leaves then all passwords should be changed immediately.
What can’t be helped
Even with the best security and processes in place, there will always be ways that your security could be compromised. However, with effective internal processes, good documentation, follow ups and reviews of your procedures you can drastically minimise the effect of an employee leaving.
Why not start looking at your systems now?
For more information on strengthening your IT security please contact us.