6 Security Steps To Follow When An Employees Leaves Your Company
There are lots of processes a company follows when an employee leaves, maybe a card is passed around the office for everyone to sign, or everyone puts in a few pounds towards a present, you might organise a leaving ‘do’. But have you considered what processes should be followed from an IT security perspective?
When considering GDPR and general internal cybersecurity, IT processes cannot be overlooked when an employee terminates their contract with a company. It is not a matter of not trusting your employees, it is a matter of controlling and securing company data and having a solid knowledge of where it is stored. However, if an employee is leaving the company because of misconduct or other serious reasons then these steps should be followed with extra care.
1. Communication with HR
The first step to an effective and secure employee termination process is open and timely communication with HR. HR needs to let IT know as soon as an employee hands in their notice so that IT can plan the procedure to be prepared for the employee’s last day in the office. This preparation time is key so that the IT team can analyse the access and permissions that the user has so they can be swiftly revoked and changed when the time comes.
2. Disable account/telephony associated with the account
The one action you will need to take with every type of role is to disable the employee’s account with the company as well as any telephony associated with their account. This physically signifies their termination of the contract with the company and means that they will not be able to gain access to company data, be mistakenly registered as an employee or receive e-mails from clients that will get lost.
3. Change passwords/pins
This is more dependent on job role and access but you also need to consider what sensitive information the employee had access to. This could be something like the company’s social media account, which often has one universal password or sometimes will connect via the employee’s personal social media accounts. Or they could have had access to bank pins for company credit cards. In all cases, the access will need to be revoked or the passwords and pins will need to be changed.
4. Remove permissions
Permissions encompass anything else that the company has allowed the employee access to. Examples again will depend on the role, but this could be remote access to the company systems from home, permissions to make changes to company billing information, and other general company accounts. It is also worth noting at this stage that any devices the employee has access to which are owned by the company will need to be returned so there is no misplaced company data. For more information on controlling company assets see our post on BYOD and how this needs to be maintained.
5. Format and rebuild computer hard drive for a new user.
This is a final step to wipe the employee’s hard drive to get rid of any other sensitive information and to make the hardware secure and like new for the next user to access with their own unique account and permissions.
6. Make it a process
Once you have developed this process in a way that works for your company, it is a good idea to keep documentation of each step you have gone through. This can form a ‘check-list’ both of how this process should be carried out in relation to various departments which will differ in terms of thoroughness. For example, an IT manager with access to all the company’s network data and security information will need to follow a very different process to an employee in accounts who handles all the company transactions and holds a lot of sensitive financial data. It is also a good idea to keep documentation of each individual employee termination procedure for reference and legal purposes.
When you have a process in place it will make it much easier in the future as you will know exactly what you need to look for and what employees with similar roles will require. As part of our managed IT services, Xenace will carry out this process for you so you do not even need to worry about it. If you are considering the advantages of outsourcing your IT so that sensitive processes like this can be given the time and dedication that they require please get in touch! We would be happy to talk you through exactly what we can do to make life a bit easier for you.