Cybersecurity Offboarding: How to Protect Passwords When Employees Leave

Cybersecurity Offboarding: How to Protect Passwords When Employees Leave

Ending a business relationship with an employee can be daunting, especially if things end on bad terms. Offboarding is critical to ensure that any disgruntled former employees do not expose company information. There have been cases in the past where former employees are the cause of massive data breaches. 

Some data breaches are intentional, like when a former CIA employee was convicted for carrying out the largest data leak in the agency’s history. 

Other breaches are unintentional, like when a City of Calgary staffer accidentally sent an email to an employee of another Alberta municipality. The email contained personal and confidential information of 3,716 municipal employees—resulting in a $92.9 million class action lawsuit for allegedly breaching the privacy rights of thousands of employees of the City of Calgary.

An offboarding process is necessary to prevent these security breaches from happening to your organization.

What Is Offboarding?

Employee offboarding is a process that takes place following an employee’s separation from the company. This is a necessary step to ensure their work is transitioned to other employees and so that potential vulnerabilities that can expose the organization to cyberthreats are prevented. 

The offboarding process can include:

  • Delegating the employee’s workload and responsibilities to other team members
  • Deactivating the employee’s access to company accounts (critical for your internal and client security) 
  • Returning company equipment
  • Conducting an exit interview for feedback

Why Do You Need an Offboarding Process?

The purpose of the offboarding procedure is to create a clean break from the former employee and tie up any loose ends. Plus, feedback from the ex-employee can be beneficial in improving the company for the current and future team.

Some of the benefits of having an offboarding process include:

  • Mitigates security risks —  The company is expected to reclaim company assets and revoke employee access to prevent former employees from accessing sensitive information and intellectual property. 
  • Prevents legal issues — A proper offboarding process gives the employee clarity on the situation. This allows both parties to discuss topics such as contract disputes, compensation or even wrongful termination. 
  • Manages logistical challenges — Before the departing employee leaves the company, the offboarding process can assist in distributing the workload to the remaining team members. Proper delegation can prevent project timelines from shifting or negatively impacting stakeholders.
  • Provides the company with feedback — An employee exit interview gives the departing employee the chance to provide feedback to the team leads and, hopefully, end the business relationship on the best possible terms. 

How to Offboard an Employee to Keep Your Organization Secure

There are several steps to consider during the offboarding process. Follow the general guidelines below when offboarding an employee at your company.

  1. Plan Ahead During Onboarding

The offboarding process is basically the opposite of the onboarding process. A proper onboarding process will make the offboarding process more efficient since it will allow you to gather information to help with offboarding later.

When a new member joins the team, create an employee offboarding checklist. Keep track and record all digital and physical assets associated with each employee. Ask yourself:

  • What equipment do they need?
  • What do they need access to?
  • What projects will they be working on?

Take note of their responsibilities and equipment, as this will help with the offboarding process in the future. 

  1. Recover All Equipment

Retrieve company equipment such as laptops, security passes, USBs, IDs, hard drives and other assets. A single forgotten thumb drive containing sensitive data can fall into the wrong hands and result in a data breach. 

  1. Shut Down Employee Accounts

After recovering all physical assets, organizations must also revoke the employee’s online access. Shutting down accounts includes:

  • Revoking access to shared folders, files and accounts
  • Resetting shared passwords
  • Reassigning suspended licenses to another employee
  1. Monitor Activity

Monitor the user’s activity during the last couple of weeks to their final day to ensure that the employee has not duplicated any files to their personal computer. Set policies in place to prevent email forwarding.

Using Keeper to Simplify Employee Offboarding

Keeper makes the offboarding process easier with features such as role-based access controls and delegated administration. When an employee leaves your company, you can easily transfer their vault to another user so that credentials aren’t lost but the ex-employee cannot access their vault anymore.

Take a look at our documentation portal to learn more about Keeper’s admin controls and how we make onboarding and offboarding easier for you and your employees. 

Frequently Asked Questions

What do companies risk with improper offboarding processes?

Improper offboarding processes can open the doors to a cybercrime. An employee who leaves your company on bad terms may seek revenge and intentionally cause a data breach that can put everyone in your business at risk. 

On the other hand, even if an employee ends a business relationship on good terms, an improper offboarding process can still put your team and customer data at risk. For example, if a company does not change passwords to the shared account, an ex-employee could possibly log into this shared account on their personal computer at home. If the ex-employee does not practice good cyber hygiene, they put the company account at risk. 

Who is responsible for offboarding?

The offboarding process is a shared responsibility between the Human Resource team and the direct manager. Human resources (HR) provides the necessary paperwork and legal processes. The manager should work alongside HR to help with the employee’s transition out of the company since the manager should better understand the employee’s responsibilities.

Depending on the size of the company, the IT team may be involved as well to ensure equipment is returned and access to company accounts and information is revoked.

Craig Lurey

Craig Lurey is the CTO and Co-Founder of Keeper Security. Craig leads Keeper’s software development and technology infrastructure team. Craig and Darren have been active business partners in a series of successful ventures for over 20 years. Prior to building Keeper, Craig served at Motorola as a software engineer creating firmware for cellular base station infrastructure and founded Apollo Solutions, an online software platform for the computer reseller industry which was acquired by CNET Networks. Craig holds a bachelor’s degree in Electrical Engineering from Iowa State University.