The hidden dangers of employee offboarding

Bob Burke at Beyond Identity describes an underappreciated corporate security risk and explains how to mitigate it

In today’s rapidly evolving employment environment, where financial or competitive challenges may force employers to reduce headcount, the issues associated with safeguarding corporate security during the employee exit process are often overlooked.

The risks are very real, with one study revealing that nearly half of workers had admitted to hacking accounts with former their employer’s passwords having already left the company.

The big question to ask here is why? Perhaps understandably, most organisations are more focused on talent acquisition, with the offboarding process receiving comparatively less attention until circumstances require it.

However, the problem here is this can inadvertently lead to unexpected and potentially serious security risks and vulnerabilities.

An insider threat, even after they left the building 

Even though it’s an unfortunate and sometimes difficult issue to consider, one of the primary security risks arises from disgruntled ex-employees - a concern often referred to as the ’insider threat’.

This is particularly important when the individuals concerned have access to sensitive company information; mitigating this risk involves a multi-faceted strategy that should begin with conducting insightful exit interviews to gain a clear understanding of any potential concerns.

A further important area of risk comes when ex-employees may retain unauthorised access to data and systems. In cases where an employee’s departure is sudden or unexpected, for instance, there is a chance that their access credentials may not be appropriately terminated for some or all of the systems they had access to. This opens a potential window of opportunity for malicious activities, especially if a former employee actively seeks to exploit it.

To counteract this risk, a comprehensive offboarding process needs to be in place that ensures the systematic deactivation of all types of account access. This should be expedited as soon as possible after the employee has left their role.

Then, there is the risk associated with the loss of critical knowledge or expertise. An employee’s sudden exit could create a knowledge gap that could leave the company vulnerable to threats. Mitigating against what is often called ‘key person risk’ means companies must cross-train employees where possible, creating a layer of redundancy that minimises dependency on any one individual.

In doing so, it is equally important to maintain fully updated documentation or runbooks on processes, systems and other relevant information to help close the loop when a knowledgeable employee moves on.

Proactive measures for ensuring security

In preparation for an employee leaving the organisation, companies need to ensure they have a robust offboarding process that provides complete transparency to all key stakeholders. They must be continually evaluated and improved upon, particularly if a previous offboarding was not executed successfully.

In the security context, CISOs have a pivotal role to play, collaborating closely with HR, IT, managers, and legal departments to facilitate a seamless transition.

A crucial aspect of the offboarding process is the implementation of end-to-end workflow automation, with the HR system acting as the system of record. Relevant stakeholders should be notified at key checkpoints, ensuring a smooth handover.

Additionally, running targeted incident response drills around relevant access controls can provide valuable insights into potential vulnerabilities and areas of improvement.

From a technology standpoint, a strong zero trust architecture with centralised policy enforcement is becoming indispensable for ensuring a robust security posture, not only in these circumstances but in general. This model eliminates any assumed trust scenarios and shifts the trust relationship to the transaction level, effectively reducing the chances of unauthorised access.

To further enhance the overall security strategy, companies should implement strong authentication methods like Multi-Factor Authentication (MFA). Additionally, Data Loss Prevention (DLP) tools can be deployed to monitor and prevent unauthorised leakage of sensitive data, both during the notice period and post-departure.

Sensitivity backed by vigilance

Handling departures or redundancies in a sensitive, transparent manner is equally critical. The reasons for each decision should be communicated clearly, ensuring the entire process is transparent, consistent and complies with all legal requirements and company policies.

To ease the transition, companies can offer counselling or career coaching services to affected employees, helping them navigate the challenging period ahead.

Ideally, a gradual approach to offboarding can prove helpful to employees, allowing them ample time to complete work, hand over tasks and pass on any key information. This also provides the security team with the opportunity to review all access throughout the process and revoke it when necessary. 

In the aftermath of dismissal, redundancy or other circumstances when an employee leaves their role, CISOs must remain vigilant for subtle indicators of potential security threats. For instance, unwarranted alterations to source code or configuration files could be a sign of malicious activity. Mitigating such threats might involve deploying File Integrity Monitoring tools or a Static Application Security Testing (SAST) solution.

Also, a close eye must be kept on unofficial remote access tools like VPNs, SSH or remote desktop software, which are frequently used but often overlooked. A comprehensive understanding of network activity, complemented by a Security Information and Event Monitoring (SIEM) tool, can prove invaluable in detecting and mitigating various risks.

Should a data breach or security incident occur after an employee has left, the first thing a CISO should do is initiate a full-scale investigation by the incident response team. The process will encompass a range of steps, including containing the issue, investigating its roots, preserving any crucial evidence and remedying any vulnerabilities or breaches.

A well-orchestrated incident response process should also involve key stakeholders such as legal and HR departments, ensuring compliance with all relevant laws and regulations. The lessons learned from each incident should be carefully examined and used to enhance existing processes, making them more robust and reducing the chance of future security incidents.

With research indicating that only one in seven of former organisational employees have been caught using former company passwords and 10% using past employers’ passwords to disrupt company activities, the need for effective processes and technologies is critical.

Ensuring the offboarding procedure is thorough, well-communicated, and effectively monitored is not merely beneficial for corporate security, it’s also important for protecting the wider resilience of any modern organisation.

Bob Burke is VP of Security and Infrastructure at Beyond Identity

Main image courtesy of iStockPhoto.com