Sometimes it's mutual, other times it's not. Either way, it's inevitable: employees — entry-level and executive alike — come and go. Unfortunately, we often overlook the risks and vulnerabilities that employee turnover can introduce, particularly from an IT security standpoint.
Although disgruntled employees and whistleblowers raise the most alarm, don't be naive: not every outbound worker is an Edward Snowden or a Chelsea Manning, and risks aren't limited to bad intentions. Even people who leave on the best of terms can cause problems.
Consider, for instance, an employee who takes copies of a report he wrote, believing it might be of value to his professional portfolio. Two years later, he's looking for a new position and, with no sense of malice whatsoever, shares that portfolio during the interview process. Unfortunately, that document also happens to contain highly sensitive information — and the organization where he's interviewing happens to be a major competitor. It's all too common: an estimated 60% of employees admit to taking corporate data when they leave an organization.
Of course, that's just one example of what could go wrong: There are countless more. That's why organizations need a comprehensive, exhaustive strategy to manage employee exits. Let's look at some ways to prevent employee turnover from spiraling into organizational crisis.
Tip 1: Access Should Be Discussed and Planned ASAP
The moment someone submits a resignation letter, there should be immediate action. In theory, everyone knows this. Unfortunately, too few organizations have a cohesive, documented strategy for dealing with the problem in all its variations.
It's not just a matter of immediately removing access — nor is that always practical. If you fire someone, sure, lock down his or her accounts and change the passwords. But what about an employee who is simply transitioning from full-time to a consulting role with the organization? That person may need some access.
Taking effective action before someone leaves requires collaborative, preemptive effort and planning from multiple departments or teams. Business leaders should sit down with IT and HR staff to determine not only who notifies the appropriate parties that someone is leaving but also who's responsible for modifying that person's access and when.
Tip 2: If You're Not Immediately Removing Access, Start Tracking Activity
Once organizations know someone is leaving, they should begin tracking the employee's behavior until his or her departure, right up until access is denied. Take care to review any recent network activity even before that person handed in a resignation, when he or she was less likely to be monitored for suspicious activity. Many people will copy files and emails and take work they feel entitled to before they hand in their notice. After all, at the end of the day we're human beings who, after investing so much time and effort in our work, don't want to relinquish our rights to it.
Effective behavior tracking requires your IT and security operations teams to prioritize monitoring the individual's actions — which they can't do until they know the person is leaving. If necessary, IT staff can categorize a user's activities so that behaviors typically deemed low-risk receive more attention.
If possible, look as far back as your resources allow. Accomplishing this requires the ability to look back and track specific downloads and file types by user. Fortunately, many organizations already have the tools to do this.
If data lives in the cloud, organizations should consider investing in a cloud access security broker or next-generation firewall. If not, network anomaly detection is another alternative.
Tip 3: Inform Employees of Their Access
Looking down from the top, organizational leaders often may not realize the extent of their employees' access — including whether they have access to data they shouldn't. And, of course, no matter what restrictions you put in place, human beings inevitably find their way around network restrictions if they think it will make things faster and easier.
Ultimately, you should know every employee's access level well before that resignation letter drops. This requires sitting down with individuals or teams to understand their duties and responsibilities — along with what kind of data they need to fulfill them. A paper checklist isn't enough: you need a face-to-face, deep-dive meeting to gauge access, system usage, and, most importantly, whether the individual is doing anything outside the job description.
Without this, organizations will never have a full understanding of how employees use the network and which parts they use, including those employees with one foot out the door. Consequently, whenever employees leave, those responsible for cleaning up will again and again find themselves scrambling to figure out where their access needs to be cut, while simultaneously looking for theoretical warning signs — a time-consuming and, without a solid strategy, often fruitless task.
In short, managing the exit of employees doesn't just happen. It requires a collaborative, organization-wide plan with the right processes and systems in place and ready for action. The alternative is a chaotic, last-minute scramble requiring significant effort and reduced productivity for those left behind to pick up the pieces.