{"id":21566,"date":"2023-08-22T20:31:30","date_gmt":"2023-08-22T16:31:30","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/employee-offboarding-and-cybersecurity\/21566\/"},"modified":"2023-08-22T20:31:30","modified_gmt":"2023-08-22T16:31:30","slug":"employee-offboarding-and-cybersecurity","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/employee-offboarding-and-cybersecurity\/21566\/","title":{"rendered":"The security aspect of employee offboarding"},"content":{"rendered":"<p>All large companies have formal processes for both onboarding and offboarding. These include granting access to corporate IT systems after hiring, and revoking said access during offboarding. In practice, the latter is far less effective \u2014 with departing employees often retaining access to work information. What are the risks involved, and how to avoid them?<\/p>\n<h2>How access gets forgotten<\/h2>\n<p>New employees are granted access to the systems they need for their jobs. Over time, these accesses accumulate, but they\u2019re not always issued centrally, and the process itself is by no means always standardized. Direct management might give access to systems without notifying the IT department, while chats in messenger apps or document-exchange systems get created ad hoc within a department. Poorly controlled access of this kind is almost certain not to be revoked from an offboarded employee.<\/p>\n<p>Here are some typical scenarios in which IT staff may overlook access revocation:<\/p>\n<ul>\n<li>The company uses a SaaS system (Ariba, Concur, Salesforce, Slack\u2026 there are thousands of them) that\u2019s accessed by entering a username and password entered by the employee at first log in. And it isn\u2019t integrated with the corporate employee directory.<\/li>\n<li>Employees share a common password for a particular system. (The reason may be saving money by using just one subscription or lacking a full multi-user architecture in a system.) When one of them is offboarded, no one bothers to change the password.<\/li>\n<li>A corporate system allows login using a mobile phone number and a code sent by text. Problems arise if an offboarded employee keeps the phone number they used for this purpose.<\/li>\n<li>Access to some systems requires being bound to a personal account. For example, administrators of corporate pages on social media often get access by assigning the corresponding role to a personal account, so this access needs to be revoked in the social network as well.<\/li>\n<li>Last but not least is the problem of shadow IT. Any system that employees started using and run by themselves is bound to fall outside standard inventory, password control and other procedures. Most often, offboarded employees retain the ability to perform collaborative editing in Google Docs, manage tasks in Trello or Basecamp, share files via Dropbox and similar file-hosting services, as well as access work and semi-work chats in messenger apps. That said, pretty much any system could end up in the list.<\/li>\n<\/ul>\n<h2>The danger of unrevoked access<\/h2>\n<p>Depending on the role of the employee and the circumstances of their departure, unrevoked access can create the following risks:<\/p>\n<ul>\n<li>The offboarded employee\u2019s accounts can be used by a third party for cyberattacks on the company. A variety of scenarios are possible here \u2014 from <a href=\"https:\/\/www.kaspersky.com\/blog\/what-is-bec-attack\/34135\/\" target=\"_blank\" rel=\"noopener nofollow\">business email compromise<\/a> to unauthorized entry to corporate systems and data theft. Since the departed employee no longer uses these accounts, such activity is likely to go unnoticed for a long time. Forgotten accounts may also use weak passwords and lack two-factor authentication, which simplifies their takeover. No surprise, then, that forgotten accounts are <a href=\"https:\/\/www.csoonline.com\/article\/575347\/inactive-accounts-pose-significant-account-takeover-security-risks.html\" target=\"_blank\" rel=\"nofollow noopener\">becoming very popular targets for cybercriminals<\/a>.<\/li>\n<li>The offboarded employee might continue to use accounts for personal gain (accessing the customer base to get ahead in a new job; or using corporate subscriptions to third-party paid services).<\/li>\n<li>There could be a leak of confidential information (for example, if business documents are synchronized with a folder on the offboarded employee\u2019s personal computer). Whether the employee deliberately retained this access to <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2023-02-15\/ex-employee-for-chip-machine-maker-asml-stole-data-from-technical-repositary\" target=\"_blank\" rel=\"nofollow noopener\">steal documents<\/a> or it was just plain forgetfulness makes little difference. Either way, such a leak creates long-term risks for the company.<\/li>\n<li>If the departure was acrimonious, the offboarded employee may use their access to <a href=\"https:\/\/www.securityweek.com\/kansas-man-admits-hacking-public-water-facility\/\" target=\"_blank\" rel=\"nofollow noopener\">inflict damage<\/a>.<\/li>\n<\/ul>\n<h2>Additional headaches: staff turnover, freelancing, subcontractors<\/h2>\n<p>Keeping track of SaaS systems and shadow IT is already a handful, but the situation is made worse by the fact that not all company offboarding processes are properly formalized.<\/p>\n<p>An additional risk factor is <strong>freelancers<\/strong>. If they were given some kind of access as part of a project, it\u2019s extremely unlikely that IT will promptly revoke it \u2014 or even know about it \u2014 when the contract expires.<\/p>\n<p><strong>Contracting companies<\/strong> likewise pose a danger. If a contractor fires one employee and hires another, often the old credentials are simply given to the new person, rather than deleted and replaced with new ones. There\u2019s no way that your IT service will know about the change in personnel.<\/p>\n<p>In companies with <strong>seasonal employees<\/strong> or just a <strong>high turnover<\/strong> in certain positions, there\u2019s often no full-fledged centralized on\/offboarding procedure \u2014 just to simplify the business operation. Therefore, you can\u2019t assume they\u2019ll perform an onboarding briefing or operate a comprehensive offboarding checklist. Employees in these jobs often use the same password to access internal systems, which can even be written on a Post-It right next to the computer or terminal.<\/p>\n<h2>How to take control<\/h2>\n<p>The administrative aspect is key. Below are a few measures that significantly mitigate the risk:<\/p>\n<ul>\n<li><strong>Regular access audits.<\/strong> Carry out periodic audits to determine what employees have access to. The audit should identify accesses that are no longer current or were issued unintentionally or outside of standard procedures, and revoke them as necessary. For audits, a technical analysis of the infrastructure is not enough. In addition, surveys of employees and their managers should be carried out in one form or another. This will also help bring shadow IT out of the shadows and in line with company policies.<\/li>\n<li><strong>Close cooperation between HR and IT during offboarding.<\/strong> Departing employees should be given an exit interview. Besides questions important for HR (satisfaction with the job and the company; feedback about colleagues), this should include IT issues (request a complete list of systems that the employee used on a daily basis; ensure that all work information is shared with colleagues and not left on personal devices, etc.). The offboarding process usually involves signing documents imposing responsibility on the departing employee for disclosure or misuse of such information. In addition to the employee, it\u2019s advisable to interview their colleagues and management so that IT and InfoSec are fully briefed on all their accounts and accesses.<\/li>\n<li><strong>Creation of standard roles in the company.<\/strong> This measure combines technical and organizational aspects. For each position and each type of work, you can draw up a template set of accesses to be issued during onboarding and revoked during offboarding. This lets you create a role-based access control (RBAC) system and greatly simplify the work of IT.<\/li>\n<\/ul>\n<p>Technical measures to facilitate access control and increase the overall level of information security:<\/p>\n<ul>\n<li>Implementing <strong>Identity and Access Management systems<\/strong> and <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-benefit-from-identity-security\/48399\/\" target=\"_blank\" rel=\"noopener nofollow\">Identity Security<\/a> The keystone here would be a single sign-on (SSO) solution based on a centralized employee directory.<\/li>\n<li><strong>Asset and Inventory Tracking<\/strong> to centrally track corporate devices, work mobile phone numbers, issued licenses, etc.<\/li>\n<li><strong>Monitoring of outdated accounts<\/strong>. Information security tools can be used to introduce monitoring rules to flag accounts in corporate systems if they have been inactive for a long time. Such accounts must be periodically checked and disabled manually.<\/li>\n<li><strong>Compensatory measures<\/strong> for shared passwords that have to be used (these need to be changed more often).<\/li>\n<li><strong>Time-limited access<\/strong> for freelancers, contractors and seasonal employees. For them, it\u2019s always best to issue short-term accesses, and to extend\/change them only when necessary.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Offboarded employees often retain access to work information. What are the risks, and how to deal with them?<\/p>\n","protected":false},"author":2722,"featured_media":21567,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916],"tags":[1368,2408,2657,1183,2681,187,2494],"class_list":{"0":"post-21566","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-employees","10":"tag-hr","11":"tag-identity-security","12":"tag-leaks","13":"tag-offboarding","14":"tag-passwords","15":"tag-strategy"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/employee-offboarding-and-cybersecurity\/21566\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/employee-offboarding-and-cybersecurity\/26103\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/employee-offboarding-and-cybersecurity\/28797\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/employee-offboarding-and-cybersecurity\/26412\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/employee-offboarding-and-cybersecurity\/35943\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/employee-offboarding-and-cybersecurity\/48846\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/employee-offboarding-and-cybersecurity\/34515\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/employee-offboarding-and-cybersecurity\/26695\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/employee-offboarding-and-cybersecurity\/32403\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/employee-offboarding-and-cybersecurity\/32070\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/strategy\/","name":"strategy"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/21566","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2722"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=21566"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/21566\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/21567"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=21566"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=21566"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=21566"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}