Protecting Your Business When Employees Leave
Greg WilsonHead of Information Security
Jan 11, 2017
While it’s always important to take a variety of measures to ensure you are protecting your company from data breaches, this prevention becomes even more imperative when employees who were privy to secure information leave the company.
In order to protect your business, your employees and your clients, appropriate precautions should be followed. The departures of even the friendliest individuals should be treated the same as the departures of those who left in disgruntled manners. You never know what those former employees are truly thinking, and it’s best to treat all instances with safety of people and information top of mind.
The Federal Communications Commission suggests creating a security checklist for when employees leave the company, regardless of their reasons for leaving. It also recommends providing security training for all employees — this will help them further understand your security measures and what potential threats to your business could exist.1
Prior to the individual leaving, the company should determine whether or not he or she will stay for the remainder of the day or be escorted off of the premises. If the individual will remain in the building for the rest of the day, he or she should be monitored closely, particularly in regard to emails being sent. It’s necessary to ensure the individual is not transferring documents or personal emails, as these could contain information that should not leave the company systems.
If the individual will leave the property immediately, another staff member should shadow the employee to collect personal items from his or her desk. However, no emails or items from the computer may be deleted during this time period. The individual should then be escorted out of the building after completing his or her exit interview.
During the individual’s exit interview, all confidentiality requirements should be reviewed, and before he or she leaves at the end of the day, all information technology devices must be collected, and all company-specific apps must be disabled from his or her personal devices. For example, if an employee has a phone with email access, that access needs to be terminated, and all laptops, portable storage devices, phone cards, building access devices and company credit cards need to be returned to the company, as well.
Additionally, make sure to collect any gate passes and parking tags as well as all physical keys and ID cards to the building from the individual.
Most security breaches occur within the first two weeks of an employee’s termination or resignation, creating the necessity to take extra safety precautions during that time period. Regardless of whether or not the end of employment is friendly or hostile, the following protocols are recommended:
- Disable or change all network passwords, alarm codes and security codes to which the individual had access.
- Remove the individual’s access to all social media accounts.
- Deactivate the individual’s company email account(s) and any remote access he or she has.
- Reprogram the individual’s voicemail to reflect that he or she has left the company, and provide information regarding whom should be contacted for assistance.
- Notify appropriate parties (such as building security) so that they are aware the individual no longer works at your company.
- If you work in a smaller office, change all locks.
Even if an employee leaves on amicable terms, in our current society, it’s best to err on the side of caution. Information breaches can occur in any business, but you can be proactive in your efforts to help ensure yours is as safe as possible.
1Federal Communications Commission, “Cyber Security Planning Guide.