Putting a process in place for the onboarding and exiting of staff members will help protect your organisation and your data from any inadvertent leaks due to out of date email addresses still being active with access to critical systems.
We’ve included below a number of processes we recommend implementing as part of a onboarding and offboarding policy for your staff.
1. Centralised management of user credentials
To start with, centralising your password management for each staff member is highly recommended.
Consider using Azure Active Directory and Single-Sign-On technologies, so when it is time to disable access for a leaving user, you can do this from a centralised place.
Consider using Password Managers so you only have to revoke one password to prevent an ex-employee accessing a range of services.
2. Managing Company Data on Employee Devices
Many businesses allow staff to use their own devices, especially when they are working from home or part of a mobile workforce.
If this is the case in your organisation, we recommend that you use ‘Mobile Device Management’ technology, so you can erase company data from an employee’s device.
3. Provide Access to Technology on an “As-Needed” Basis
Creating levels of permissions within your business helps protect the organisation should access be gained via a particular employee’s login details.
We recommend that you only give employees the credentials needed to access the systems they need for their role.
Avoid providing employees with higher levels of access than they need – this helps to reduce exposure should they leave.
Even though this can be inconvenient at times, it is more secure to provide temporary increased access to a system if needed, than to allow a higher level of access across the board.
4. Ensure you don’t miss anything during the offboarding process
Develop, maintain and follow a documented formal employee technology and security “offboarding” procedure for every staff member who is leaving your organisation.
Advise your IT provider early when an employee is expected to leave your business so that they can ensure the appropriate process is in place and all changes are made.
5. Manage disgruntled employee exits
Not every staff departure is amicable and this is where your process becomes even more important.
For the protection of both the employee and your business, revoke access to critical services for disgruntled employees as soon as possible, including immediate escort from the premises.
Ensure the immediate return of any company-owned technology they have access to – a regularly updated register of technology and who has access will help ensure nothing is overlooked.
6. Use named-user logins rather than sharing logins amongst multiple users.
Revoking one user account when an employee leaves is easier than changing the password on an account shared by 20 users and managing the impact on your whole team.
A shared account also does not allow audit-tracking of user activity.