We think we can all safely say that 2020 has been an interesting year in terms of workplaces and employee IT access. With businesses dealing with furloughed staff, teams working from home, workers on temporary contracts, the potential of redundancies, and employees deciding to follow alternative career paths, there have definitely been more people moving between jobs. So, once they’ve handed back their keys and their ID cards it’s important to make sure that you remove all their digital privileges too, which includes wiping key and access cards.
No-one wants to think that employees retiring or leaving could be a security risk, but with cybercriminals using increasingly sophisticated methods, it takes just one phishing email to an ex-staff member who still has access to your IT systems, and your best defences could come tumbling down. Implementing an IT Security Checklist as part of your Employee Exit Strategy can help to ensure Cyber Security and GDPR compliance.
We’ve compiled a few suggestions for you to check off in any instance that a member of staff leaves your employment.
Communicate with key team members
Giving your IT team a heads up, allows them to plan and schedule as smooth an exit as possible, tying up any loose IT access strings. This also provides an opportunity to ensure that emails are forwarded to appropriate team members and that important documents can still be accessed by relevant remaining staff.
Email and Phone Access
While it’s vital that you remove access to all emails that the departing employee may have had access to, we don’t recommend deleting their email accounts immediately. Their email account will undoubtedly contain information that your company may need to access in the future and could be a main point of contact for suppliers and clients.
Instead, we recommend changing the passwords for the account, removing access from any mobile devices that the employee may have used, for example, phones, and setting up an auto-forward or email box monitoring.
If the staff member has had access to WAP calling through their mobile device, again it’s advisable to remove their access but keep the line running in case suppliers or customers use it as a point of contact.
Change social media and website passwords
If the departing staff member had access to any social media accounts, Google My Business, or your company website you must change the passwords for those accounts. This is also important if the passwords have been used as logins for other systems or accounts. You should also remind the exiting staff member to update their LinkedIn profile to reflect that they have now left your business and remove any links between their personal accounts and your company’s accounts.
Ensure that systems access is removed
It’s good practice to regularly audit internal systems access, so a staff departure is an ideal time to check access permissions for all your team. During this process you should also then remove access for any members of the team who have left your employment.
The same goes for cloud storage
During lockdown it is very likely that you may have encouraged your remote workers to use cloud storage such as Google Drive, iCloud or Dropbox. Check to see if any folders have been granted access to non-company email addresses and remove them. Additionally, if the staff member used their personal devices for business purposes, check them and make sure that the permissions have been removed from those as well.
Whilst doing this you should also check that no company files have been stored on personal devices. If there are any, get them copied and transferred to a safe company place before deleting the originals.
Return company equipment
You should already have a register of all allocated assets such as laptops and phones, particularly if you have remote workers using company equipment. Any equipment that the employee has should be returned and ticked off against the register.
Change shared passwords
Although we never recommend sharing passwords throughout a company, we know that it can happen. If you do share passwords, we recommend that you stop doing so in the interests of cybersecurity, and if you have an employee leaving and have shared passwords, that you change them immediately.
Additionally, if you have any generic or easily guessable passwords you should change those too.
Access to bank accounts and authorities
If the employee was in a position to have access to bank account and credit card details or access to government portals, this should be rescinded. Supplier relationships and external purchasing facilities should also be removed
While this list may seem daunting, it is there to keep your business cyber secure. The best line of defence is knowledge, understanding, and education, so if you know you’re doing things properly, you can gain some peace of mind. If you are interested in training yourself and your team to be more cyber security conscious contact us to discuss our Cyber Essentials Accreditation package.
Guest blog by LP Networks Ltd