When an employee leaves your business, human resources processes are usually meticulously followed. But IT offboarding is frequently ignored.
An ex-employee who retains access to their email, your CRM, or your shared cloud storage long after their final day is an enormous security and privacy risk. Whether maliciously or accidentally, that lingering access can lead to costly data breaches. You must have an IT offboarding plan.
Immediate Identity Deactivation
On the employee's final day (or immediately upon termination), your IT team must follow this sequence to stop access in its tracks.
1. Reset the Primary Identity Password
If you use Microsoft 365 or Google Workspace, reset their password immediately. Then, hit the crucial "Sign out of all active sessions" button. This ensures that if they are currently logged in on a personal smartphone or home laptop, they are forcibly kicked out.
Managing Email and Shared Data
Once the primary identity is secured, you need to handle the data left behind and ensure long-term security.
2. Convert Email to a Shared Mailbox
You do not want to delete their email account, as you may lose important historical correspondence or miss future client emails. Convert their account into a "Shared Mailbox" and delegate access to their manager.
Revoking Application Access
Modern businesses use dozens of separate applications. Each one must be disconnected.
3. Revoke Third-Party SaaS Access
Not every app is tied to Microsoft. Consult your Password Manager and meticulously revoke access to every third-party application like Canva, Mailchimp, or company social media accounts.
Securing Personal Devices
If your staff use their personal phones to check work emails, you must use your Mobile Device Management (MDM) software to remotely wipe the corporate data partition from their phone. This ensures no client data goes home with them while leaving their personal photos and apps intact.
The Importance of Process
A rushed offboarding is a dangerous offboarding. If you rely on memory, you will forget to revoke access to a critical system. Standardise this list into a formal policy.
If you are struggling to manage access control or lack visibility into exactly what your former employees can still see, book a Cubit cyber security assessment today. We will review your offboarding procedures and provide a plain-English roadmap to tightening your access controls.
To understand where your business stands, we offer a free initial consultation - get in touch.