HR Management Compliance

Four Keys to Securely Offboard Staff

15views

Organizations as we speak face many cybersecurity issues throughout the board. With most companies at present supporting distant staff because of the COVID-19 pandemic, attackers have been doing their finest to capitalize on the present scenario.

offboarding
Supply: Den Rise / Shutterstock

Along with the cybersecurity dangers posed by attackers, there are different safety issues in your group, beginning together with your workers. If not offboarded appropriately, workers who go away your group can expose your companies to super threats, together with knowledge leaks. 

The Essential Position of HR in Onboarding and Offboarding

HR departments play a vital function in guaranteeing the processes and procedures wanted for the correct onboarding and offboarding of workers are carried out appropriately. Usually, a lot of this work offers with the staff immediately, however there are additionally outdoors components, comparable to speaking with exterior groups to make sure sources and entry are both granted through the hiring course of or discontinued on the finish of employment.

Typically, a wrinkle within the communication with these exterior stakeholders could also be the place a safety threat first presents itself. If entry shouldn’t be arrange securely or taken away instantly upon an worker’s exiting the corporate, there will be holes the place knowledge could also be misplaced.  

Whereas the onboarding course of helps introduce an worker to the tradition, group, and total philosophies and instruments of the group, the offboarding course of helps handle the worker’s expertise when she or he leaves the group.

Correct offboarding ought to embrace all of the steps wanted to efficiently half methods with the worker so each the worker and the group have a optimistic expertise whereas defending priceless knowledge from being both exfiltrated or leaked.

Correct Offboarding Is Important for Good Cybersecurity

When efficient safety practices, the offboarding course of is a necessary a part of your group’s total cybersecurity apply. Improperly offboarding workers who’ve entry to your business-critical knowledge can result in a wide selection of information safety points, together with:

  • Knowledge loss—Knowledge might be deleted or deliberately destroyed by a former worker.
  • Knowledge leak—Delicate, business-critical knowledge will be unintentionally or intentionally leaked by a former worker who was not offboarded appropriately.
  • Compliance and regulatory violations—Staff who should not appropriately offboarded and who’re concerned with a knowledge breach can go away your group uncovered to additional problems.
  • Tarnished enterprise popularity—Misplaced buyer confidence and a tarnished enterprise popularity can have an untold fiscal influence on your corporation.
  • Wasted spend—Staff who should not offboarded appropriately could go away the group losing spend on pointless cloud accounts and different sources that would have been repurposed or discontinued altogether.

Experiencing any of the above outcomes of improper worker offboarding will be disastrous to your corporation.

Offboarding Processes Associated to Knowledge Safety

The very important offboarding processes which are immediately associated to the safety of your group embrace: 

  • Reclaiming property
  • Revoking worker entry to firm accounts
  • Migrating business-critical knowledge
  • Defending in opposition to knowledge exfiltration

Reclaiming property. Reclaiming property is an important a part of worker offboarding. Most workers who’ve spent any time with a company may have varied firm property of their possession. These could embrace the next:

  • Laptops
  • Exterior storage units
  • Cell units (cell phone, pill, and many others.)
  • Keys/fobs

Most workers as we speak are utilizing many alternative sorts of expertise to empower enterprise productiveness. At a really minimal, this will embrace a company-issued laptop computer and a cell gadget comparable to a cellphone. Expertise units comparable to laptops and cellphones will most certainly include enterprise knowledge that might be business-critical, delicate, or each.

Reclaiming firm property is usually step one within the offboarding course of. Many HR departments may have a “guidelines” of kinds to make sure firm property are returned earlier than the worker makes his or her exit.  

Revoking worker entry to firm accounts. Companies as we speak are using many alternative on-line instruments, companies, merchandise, and options. As an worker turns into a part of the group, there’s a good likelihood she or he could also be granted entry to methods and sources utilized by your corporation for business-critical duties.

A vital step within the offboarding course of is to revoke the worker’s entry to all firm accounts. Revoking entry helps to guard the enterprise from any actions taken by a former worker to break the enterprise, destroy knowledge, or leak delicate data. This additionally helps to guard the worker from any legal responsibility or implication in any knowledge leak or different cybersecurity occasion that occurs afterward.    

HR will usually work carefully with the IT division to coordinate the termination of entry to firm accounts. The worker’s entry could also be terminated after his or her final day of employment; nevertheless, this will differ relying in your group’s offboarding and safety insurance policies.   

Migrating business-critical knowledge. An space that may result in a substantial amount of complexity for organizations is the account and related knowledge of the worker leaving the group. That is very true with accounts that exist in public cloud software-as-a-service (SaaS) environments. The worker who’s exiting could have performed a key function in particular enterprise processes. The particular person might also produce other important knowledge linked to his or her cloud account.

Typically, organizations proceed to pay for the previous worker’s cloud account as a result of it’s simpler to pay for the license than migrate knowledge between accounts utilizing the native instruments offered within the cloud. Native instruments will be too cumbersome, problematic, or just nonexistent emigrate knowledge between consumer accounts successfully. This helps gasoline the issue of merely leaving current accounts of former workers somewhat than relocating them.  

Whereas this can be sustainable after one or two workers go away, the prices start so as to add up over time as workers come and go. Organizations can discover themselves paying for dozens, if no more, unused accounts to take care of entry to the account knowledge. A 3rd-party instrument can assist migrate knowledge between an current cloud SaaS account and one other consumer account within the cloud. This enables organizations to reclaim the spend on any unused accounts that will exist. It additionally helps consolidate and arrange business-critical knowledge successfully and effectively.

Defending in opposition to knowledge exfiltration. Defending in opposition to knowledge exfiltration by a leaving/former worker is extraordinarily necessary. Knowledge exfiltration is also called “knowledge theft,” or the stealing of information out of your group. This might be mental property, shoppers, priceless contacts, or paperwork the worker could need to take with her or him to make use of for his or her profit or the good thing about his or her new employer.

Other than merely stealing a company’s knowledge for use unscrupulously, knowledge exfiltration can doubtlessly result in an all-out knowledge leak. An information leak is arguably one of many costliest cybersecurity dangers that may have an effect on your corporation. An information leak occurs when delicate knowledge are leaked to the general public. Notice the next statistics from IBM’s 2020 “Cost of a Data Breach Report”:

  • The nation with the very best value of a knowledge breach—United States, $8.19 million
  • Highest trade common value—well being care, $6.45 million
  • Common time to determine and include a breach—279 days
  • Common measurement of a knowledge breach—25,575 data
  • Common per-record value for a knowledge breach—$150

Other than the prices of a knowledge breach, there will be compliance and regulatory fines and different monetary penalties levied in opposition to your group in case you are present in violation. The Common Knowledge Safety Regulation (GDPR) can levy fines as much as 20 million euros or 4% of the overall international turnover for extreme violations. The monetary penalties to your group for an all-out knowledge leak or a compliance violation are definitely not insignificant.

Sadly, in lots of instances, an worker who units out to exfiltrate knowledge to make use of elsewhere will start doing so earlier than saying his or her intent to depart. This makes it tough and unlikely that conventional HR processes for offboarding will successfully get rid of these kind of dangers just by reclaiming enterprise property from the worker.  

By the point the property are returned to the enterprise, any knowledge that could be exfiltrated may have already been copied by the worker to private storage domestically and even to a non-public cloud setting. Particularly in case your group is leveraging public cloud environments, it may be difficult to determine and acquire visibility to irregular habits, comparable to an worker downloading company knowledge to his or her native gadget or private cloud.   

That is the place expertise can assist bolster the processes and procedures in place from an HR perspective to forestall knowledge exfiltration from taking place by an worker who’s on the best way out. By leveraging current expertise options and having a transparent plan for the safe onboarding and offboarding of workers, organizations can mitigate a lot of the danger related to the transition of workers out and in of the corporate.

Dmitry Dontov is the Chief Expertise Officer and Founding father of Spin Technology, a cloud knowledge safety firm based mostly in Palo Alto, California, and a former CEO of Optimum Net Outsourcing, a software program growth firm from Japanese Europe. As a serial entrepreneur and cybersecurity professional with over 20 years of expertise within the safety and group administration, Dontov has a robust background within the cloud knowledge safety subject, making him an professional in SaaS knowledge safety who has a capability to affect groups. He’s an writer of two patents and a member of Forbes Enterprise Councils and YEC. AI & Blockchain fan.

Leave a Response