Cyber Protocol: What to Do When Someone Leaves
posted Sep 24, 2018 by Daniel M. Andrea, CPA, CITP, CISA in the Business Blog
Do you have a policy in place for when an employee leaves your company (whether voluntarily or involuntarily)? It is crucial to involve your IT department in an employee’s departure. While the majority of former employees would never think of harming your systems, any employee who still has access to a company’s network and proprietary corporate data is a security threat.
What’s at stake if an employee leaves your organization?
Worst case scenario: When employees leave (whether they are retiring, moving, pursuing other opportunities, or terminated) and still have access to accounts or passwords, they can access business data, finances or personal information. While this is unlikely, it’s important to be prepared for the worst.
Additionally, allowing ex-employees access to your systems can put compliance with data privacy regulations at risk, and could (intentionally or unintentionally) put confidential business information into the hands of competitors.
Every business should have a strict policy in place that is enforced for all departing employees.
When an employee leaves, you should:
- Notify your IT department immediately, they will need to research and document this person’s network access.
- Remove the employee’s access (including network, data and remote access) to your system right away.
- Change all passwords. Note: Find out if the employee has access to colleagues’ passwords and if so, change those as well.
- Route the employee’s email to a supervisor account
- Remove permissions to access external and internal networks
- Delete account/page administrator status for employees with access to digital company accounts such as social media, CRM’s etc.
- Collect all company property like keys, laptops, and access badges.
IT principles to prioritize
Now that you know what to do WHEN an employee leaves, what should you do beforehand to prepare for such a scenario?
- Preferably, your company should have a strictly enforced policy that clearly states who must notify whom. The policy should also dictate that these notifications be given right away so all of the departments can take prompt action.
- Require all employees to sign a confidentiality or Non Disclosure Agreement (“NDA”) upon hiring and to reaffirm their compliance annually.
- As part of your data access processes, make sure that the employee’s access to the information systems of the company are granted based upon the principle of Least Privilege which states that employees have access to the minimum amount of information and applications required to perform their responsibilities.
- In addition to this policy, your company should also ideally have a document that lists each employee’s access to the company’s information systems.
- Examine your material cyber risk, that is, the cyber incidents that could have a significant economic impact on your organization.
Ensuring that your organization is safe from attack depends on your IT department staying organized and keeping track of everything your employees have access to. Need help assessing the safety of your business? Reach out to a member of our Information Security Services Team.