Digital footprints cover today's modern workplace. Employees get a company email address, application logins, a company phone extension, and often more. This is good as it allows employees to be integrated within the company and work more efficiently. However, it does mean that if an employee leaves the company, the process of removing their digital footprint becomes more complicated. This is the process of "decoupling" the employee from the company's technology assets, which is vital to cybersecurity. You don't want an embittered former employee to maliciously email all your customers from their work email or leak sensitive files left on their computer. One study found that 20% of surveyed businesses have experienced a data breach connected to a former employee. Digital offboarding of employees entails revoking privileges to company data, disabling accounts, and more. To help you with this process, we've provided a handy checklist to help you cover all your bases.
Your Digital Offboarding Checklist
Identify All Apps & Logins the Person Has Been Using for Work
Hopefully, your HR or IT department will have a list of all an employee's apps and website logins, but you can't assume this, as employees may also use unauthorized cloud apps to do their work without realizing the security consequences. If you are able, work with the employee during their exit interview to get a list of any unlisted apps the employee may have used for business activities. Either change the login if you plan to continue using them or close them altogether after exporting company data.
Change Employee Passwords
Changing the employee's email password should be one of the first things you do. This keeps a former employee from sending emailing as a representative of the company and getting sensitive company data. Accounts are typically not closed immediately because emails need to be stored, but changing the password is essential to ensure the employee no longer has access. Additionally, you need to change all the ex-employee's app passwords. Remember that people often access business apps on personal devices, so just because they can't access their work computer any longer doesn't mean they can't access their old accounts. Changing the passwords locks them out no matter what device they are using. This process is simplified if you use a single sign-on solution. Don't forget about physical access to your building. If you have any digital gate or door passcodes, change these so the ex-employee can no longer gain access.
Transfer Data Ownership & Close Employee Accounts
Leaving unused employee accounts open is an invitation to a hacker. Without someone actively using/monitoring the account, breaches can happen entirely unnoticed, allowing a criminal to steal data for months unnoticed. Choose an active account to transfer the inactive account's data to and then close the inactive account.
Address Social Media Connections
Remove any social media connections between the former employee and any official company pages. This step is especially important if they had admin access to company socials, such as their personal Facebook account being an admin for your company's page or some other equivalent.
When an employee leaves the company, it's not just their labor that is lost, but also their knowledge. This could be something as simple as what social media app someone used for company posts or something that can dramatically shift productivity, such as the best way to enter the sales data into the CRM. One way to help mitigate this knowledge loss is to do a knowledge download with the employee during the exit interview. However, one way to preemptively solve this issue is to have all staff regularly document procedures and workflows into a company knowledge base. This makes the knowledge available if the employee is ever not there to perform those tasks.
Recover Any Company Devices
Make sure to recover any company-owned devices in the employee's possession. You should do this as soon as possible to avoid the loss of the equipment. Once people no longer work for a company, they may sell, give away, or trash devices.
Revoke Access by Employee's Devices to Your Apps and Network
Using an endpoint device management system, you can easily revoke device access. Remove the former employee's device from any approved device list in your system.
Recover Data on Employee Personal Devices
Many companies use a bring your own device (BYOD) policy to try and save money, but this is a security risk and makes offboarding more difficult. You need to ensure you've removed all company data from the personal devices of ex-employees. If you use BYOD and don't already have a backup policy for this, then you have a major security vulnerability that must be remedied.