Departing Employees May Exit Your Building — But Have They Truly Left Your Organization?



Departing Employees May Exit Your Building — But Have They Truly Left Your Organization?

Although departing employees may exit your organization on their last day, there are myriad potential digital doors back into your company’s network that they may be able to access long after they leave the premises.

If not properly offboarded, ex-employees can gain access to your company’s data with the potential to do irreparable financial and reputational damage completely undetected. Take the story about the disgruntled ex-employee, Juan Rodriguez, who worked for Marriott. After his termination, Rodriguez remotely accessed the company’s systems after departing the organization. The disgruntled ex-employee allegedly changed the price range of 3,000 rooms from $159-$499 to $10-$59, resulting in the loss of more than $50,000. Or the case of former McAfee employees leaking trade secrets to a rival organization after leaving. Could these situations have been avoided?

The following are recommended steps to take during an employee’s offboarding process to secure your organization and close any potential security gaps.

Conduct a post-termination access audit

To secure your organization from ex-employees, you should first know what they had access to in your network. Phone, email, cloud applications, social media accounts, ordering systems, and vendor accounts should all be taken into consideration. Did this user share credentials with anyone inside your organization? What privileges did this user have? Depending on the size of your organization, you may want to collaborate with other departments to gain a complete view of the access any departing employees have in your company network.

Disable and monitor user accounts

Before you delete a user account, you should disable it. Disabling user accounts gives you the opportunity to monitor for unusual activity and devise a plan to move forward for business continuity. During this period, you can monitor user access to verify that nothing out of the ordinary took place before the termination. Monitoring cloud applications such as Salesforce, Office 365, Google Drive, and Box is critical due to the vast amount of company data they store. Whether for active or departing employees, you should monitor for activities like:

  • Exporting activity. Did the employee export and take data like customer lists or financial information stored in Salesforce out the door prior to departure?
  • Privileged users creating new accounts. Look for the creation of new accounts or ones associated with any service accounts. Privileged users can create a back door into your network and need close monitoring.
  • Login activity. Check for inappropriate login activity to check if users are still attempting to access any company systems.
  • Email. Monitor any post-termination access to accounts such as Office 365 to ensure that users don’t have access to company email. Monitor for the transfer of any email between work and personal accounts.

User behavioral analytics

If you detect inappropriate or unusual behavior in your cloud applications during the monitoring process, you should use behavioral analytics to draw insights into those incidents. For example, if you discovered that Joel, an Account Manager, usually accesses 200 accounts per day in Salesforce and he starts accessing over 400, you can dig into the analytics to assess what drove this behavior. If, by drawing insights from Joel’s past behavior, you identify that this instance is an anomaly, you can then confidently address the situation to regain control of your data.

Delete or retain user accounts

The last thing you want to do is delete user accounts that weren’t supposed to be deleted – users may be the only point of access to a resource or account. Inactive accounts can increase your organization’s risk, but some accounts should never be deleted – for example, Active Directory Accounts should not be deleted. Security, IT, and HR should collaborate to establish a concrete set of policies for account deletion in order to securely remove accounts that create risk and keep the ones that need to be retained for security purposes.

Closing the door with security

Due to the nature of modern business, organizations are now a vast interconnected web where information is stored and transmitted between parties. Employees who have access to this sensitive information may eventually leave your organization. When this happens it’s imperative that you have the proper security controls in place so that once they leave your network, they have no other way of reentering.