User Account Offboarding is the process used to revoke accounts and access from departing employees. Offboarding is a critical step for secure and compliant identity management.
According to Osterman Researchi, nearly 90% of departed employees retain access to their corporate applications. Almost 50% logged in to an account after leaving the company. These statistics cut right to the main reason for offboarding. Ex-employees accessing confidential information with active network accounts bring security risks. These breaches may cause further complications with legal discovery and regulatory compliance as well.
On an operational level, offboarding must also adjust communications and workflows following an employee’s departure. Missed calls, forgotten prospects, ignored support requests, paused orders, and more remain common when organizations don’t plan around potential departures. When offboarding suffers delays, necessary adjustments fall through the cracks and create inefficiencies, dissatisfied clients, missed opportunities, and other harmful results.
Offboarding must be part of a company’s broader IT security and HR management policies. Even when employees leave the company on good terms, offboarding practices must ensure that departed staff do not retain access to corporate applications, emails, and other potentially sensitive information.
Ensuring the best offboarding processes usually starts with your onboarding process.
Onboarding best practices for the best offboarding
Offboarding primarily comes down to how fast and how thorough it’s carried out. When user account onboarding follows clear, identifiable processes with logged activity, the burden of proper offboarding lessens considerably. Otherwise, offboarding begins to look like one of IT’s worst games of “hide-and-seek.”
If your organization’s onboarding and provisioning processes are automated, it is just as simple to automate and configure your requisite offboarding. Automated offboarding (and onboarding) rely on user roles or attributes synced from your HR system. If HR staff updates a departing employee’s status in their system, the automating solution will revoke whatever access was provisioned.
Adhere to a strict employee offboarding checklist
Regarding human resource management and offboarding, employee turnover is a routine and predictable reality. It is necessary to plan for these events to optimize offboarding.
When an employee leaves, IT protocols must ensure and include performing appropriate offboarding tasks, including collecting all company assets and collaterals, like technology, laptops, phones, ID badges, key fobs, and other devices. Additionally, these protocols must include termination lists, disabling all logins, and directing all email and phone accounts from the departing employee to his or her manager.
- Termination lists. This list informs primary departments, like finance, HR, facilities, and legal, when an employee leaves the organization.
- Disable logins to all employee accounts. Terminating every account for every service a departing employee accesses is critical to an organization’s well-being. Deactivation must span both on-premise and cloud accounts. If a single sign-on solution is issued, check any apps saved in the employee’s portal. If using a mobile device management solution, remotely wipe the device or apps.
- Direct the email and phone accounts to the appropriate contact. Establish automatic forwarding or grant the departing employee’s manager login access to gather data, check for new communications, and reprioritize workflows.
Without policies such as these in place, organizations increase their exposure to data breach and theft risks. If ex-employees continue to access the company’s network, the information spigot remains on. Data such as customer information, intellectual property, and financials remain vulnerable.
Preventing a data breach is especially vital in law firms, medical practices, and financial institutions that are highly regulated to ensure that private information is kept confidential. Exposed data, such as credit card numbers, still present high-level security concerns for general business vendors.
Any organization’s most valuable resource is its data. The process of user account offboarding should protect that data while ensuring a seamless transition for the organization and all departing employees, partners, contractors, and others who’ve had access to it.
Protect against penetration points
The first step in offboarding an account is simple: revoking an employee’s access. Because employees usually have access to several different accounts, IT must shutter all access points to minimize potential penetration points.
At its most basic, if an ex-employee cannot authenticate themselves into your network or log in to other IT resources, they cannot harm you. With an automated solution, offboarding processes will deactivate the specified accounts. Without an automated solution, simple password changes can help secure your environment. However, manual password changes across an employee’s accounts can be very time-consuming.
It is critical to terminate access to on-premises and cloud solutions. If a single sign-on platform is utilized, review applications saved in the employee’s portal to discover if any applications have been used without the IT team’s knowledge or approval. If applicable, it may be possible to wipe company applications from the employee’s mobile device remotely.
Other than the potential security risk, closing out any unused accounts is a cost-saving measure. Unused licenses assigned to departed employees and partners continue to incur fees from the vendor. If any vendor licenses are allocated to the departed employee, they still require payment even when not used.
Other considerations for account offboarding
Regarding account offboarding, attention to detail is vital. One little point to consider is that when permanently deleting a user’s account, creating an archive for the organization’s records is a smart step to take, just in case access is required later on.
Finally, an oft-overlooked step is to hide the ex-employee from the directory, so their contact information no longer appears when employees type their email address into services like email and calendar.
You may also consider setting up an auto-responder on the former employee’s email account to inform senders that the person no longer works with the organization and to provide instructions for whom should be contacted for assistance in their stead. Aside from tying up any loose ends, doing so sends a strong message to the world—we pay attention to details and take active steps to eliminate potential exposure to threat, breach, or penetration.
[i] Osterman Research, “Do Ex-Employees Still Have Access to Your Company Data?”, 2014