We all have a certain level of staff turnover at our businesses, in fact it’s inevitable and even healthy. How you handle departing hires from an IT standpoint can be the difference between a security liability or a clean and cost-effective transition.
When your employee walks out the company doors for the final time, their digital access can’t go with them. If it does, you’re opening your business up to security problems, compliance risks and even ongoing financial costs.
Today, we’re going to look at IT offboarding, what it is and what it should cover. Why is this important? According to one study, 71% of businesses lack a formal offboarding procedure. It also found 20% of companies have experienced security breaches involving former employees. There’s a strong connection between those stats – messy offboarding could lead to a security risk.
Enduring Access to Business Accounts
Microsoft 365 accounts don’t shut down when somebody leaves your organisation. OneDrive files remain, emails keep coming in SSO (single sign-on) credentials still work with third-party apps. You may have a project management platform, a CRM, and accounting software you use, plus communication apps like Microsoft Teams. Without IT offboarding, all of this will remain live.
Cybersecurity firm Beyond Identity stated in a report that 83% of employees have enduring access to accounts after they leave a job. That’s a large number that is way beyond isolated incidents.
The risk that sits with it will be proportional to the team members role. If you’ve got an IT admin or a finance manager leaving their role, their higher access level to sensitive materials makes the departure more risky than a junior team member or intern. A higher access level requires a more efficient and thorough offboarding process.
What IT Offboarding Should Cover
It’s more than just shutting down and deleting a few accounts. IT offboarding is a comprehensive process that should include the following:
- Account deactivation. All company accounts should be disabled on the final day of work, or immediately if it’s a termination of employment. Disabling Microsoft 365 is especially important if that’s the productivity stack you use. This will stop activity across all Microsoft services but won’t permanently delete the data.
- Email redirection. Once the account is disabled, redirect emails to a manager or relevant team member. That way, you won’t miss any correspondence from clients or suppliers during the transition period.
- File ownership transfer. Any files the employee owned in OneDrive or SharePoint should be transferred to another user. Otherwise, you may lose important data or documents.
- MFA and SSO revocation. Multi-factor authentication tokens and SSO sessions don’t always expire when an account is disabled. These should be explicitly revoked as part of the process.
- Third-party application access. Any SaaS platform that the employee accessed independently of Microsoft 365 needs to be part of the offboarding process. These would be tools like HubSpot, Xero, Slack, Dropbox, or any other platform with its own login credentials.
- Device recovery or wipe. If they use a company-owned device, this should be returned and either wiped or reassigned. If you have a BYOD policy, remove all corporate data from their personal device with Microsoft Intune.
The Licence Cost
Microsoft 365 licences are billed per user, per month. If a departed employee’s account is left active, you are paying for access that nobody is using (or should be using). If you have high employee turnover and haven’t been through a licenses audit recently, you may be paying unnecessary license fees on unused accounts. It’s worth taking a look and recovering and reassigning those licenses if necessary.
When the Departure Isn’t Amicable
Your IT offboarding procedure should be applicable to all departing employees. Things do change slightly when they exit on poor terms. In that situation, efficiency is key. Access to Microsoft 365 and other platforms should be revoked as soon as possible.
Don’t wait until the end of the day – an employee who knows they are being let go can then still export or delete data or access client records. Inside-user threats from departing employees have consistently been classed as a high-risk category by the Australian Cyber Security Centre (ACSC).
It’s worth putting in place a rapid-response offboarding protocol if you manage sensitive data, intellectual property or financial records.
Make Offboarding Part of Your IT Process with Smile IT
Employee turnover is a normal part of running a business. Having a repeatable, documented IT offboarding process means you’re not making decisions under pressure each time someone leaves.
At Smile IT, we help Brisbane businesses manage the full lifecycle of employee IT access. Comprehensive IT onboarding right through to clean and efficient offboarding. If you’re not confident in your current process, get in touch with our team today. We’re happy to answer any questions you might have.
When he’s not writing tech articles or turning IT startups into established and consistent managed service providers, Peter Drummond can be found kitesurfing on Moreton Bay or hanging out with his family!