Employees are interviewed, judged, reviewed and then hired. They go through a period of “snap-in” with their team and eventually, they will, as do we all, separate from the organization. Many do the hiring and acclimating part of the employee experience equation well, fewer do the termination or separation well, and history is replete with exemplars of what happens when the execution is lacking when an employee departs. Employee off boarding is often one of the most overlooked elements in human resources, even in the defense industry.
And not only at separation. Gal Shpantzer, independent security consultant, reminds us how access rights are not only important to address upon termination, but also as individuals move to different divisions of the same organization. Fortunately, automated systems can help keep a company’s data secure.
“There are tools available that will centrally de-provision accounts associated with a given identity,” said Shpantzer. “If someone moves to a different division, is on extended leave, or is no longer with the company, any tool that has a list of access rights and that can remove those rights quickly is a major security win.” Shpantzer continues, “There are a lot of unnecessary breaches in the news going back a long way in the infosec timeline that are the direct result of a failure to remove access rights for employees, especially administrators with privileges inherent in their role in the org.”
The three items every entity must have in place for when the time comes to terminate access include:
- Termination of access to information. Lock the individual out.
- For those being off-boarded:
- Review the Non-Disclosure or Secrecy agreement
- Inventory all items issued to the individual and all electronic media items which accessed the corporate or client networks. Remove the company or client data from those devices which do NOT below to the company. This is critical in the BYOD era.
- Conduct an exit interview. For individuals terminated for cause, the exit interview may end up being pro-forma. For those who are either voting with their feet or have been lured away by a competitor, the exit interview will be invaluable and may potentially provide tidbits of information which will allow the manager or employer to make adjustments to retain colleagues.
- Acquire an attestation from the individual which stipulates that they have returned all intellectual property of their employer, they retain no information from employer or clients, save that which is required to effectuate the separation from the company/employer.
In sum, investing your time and energy on those who are departing the company will enable a large scale security win and markedly reduce the likelihood a former employee or individual will retain access to the detriment of the employer.