If an employee decides to pursue another job during the coronavirus pandemic, organizations must be prepared to keep proprietary data and company technology safe.
With COVID-19 shaking up employment, many teams are facing furloughs and layoffs. Some employees, however, are also opting to leave their jobs during this chaotic time. No matter the reason, companies must have the proper plans and security in place for an employee’s departure.
Companies have been forced to quickly adapt to remote work because of the coronavirus, many of which have never worked entirely remotely previously.
“Organizations are frantically trying to enable existing workforces to become full-time remote workforces,” said Arun Kothanath, chief security strategist at Clango, an identity and access management (IAM) consultancy. “This requires organizations to rapidly roll out VPNs and authentication technologies, such as multi-factor authentication, while enabling employees to be able to connect to mission-critical assets from their remote workstations.”
While equipping employees with secure connections is one of the crucial first steps to launching a remote workforce, businesses must also consider how to rescind such access upon employee termination or departure.
“The only way to secure critical business data is to control the access to it,” Kothanath said. “When an employee is terminated or informs the organization they are leaving for another company, there must be a way for an IT manager to immediately revoke the employee’s access.”
Neal Taparia, co-founder of SOTA Partners, said he once experienced an employee send themselves sensitive business information upon figuring out their employment would be terminated.
To help prevent other organizations from facing similar situations, Taparia and other experts outlined the following best practices for keeping company information and hardware secure in the event of an employee leaving.
IT’s responsibility for when an employee departs the company
Remove email access
After Taparia’s bad experience, he said the first thing his company does is shut off access to the employee’s email, that way the employee can’t send themselves items.
“We’ll also quickly peruse the type of activity they’ve had in their Google accounts. We use the Google Apps Productivity Suite, and it gives you some administrative abilities to see what’s going on,” Taparia said.
“We’ll look for any type of suspicious behavior, and we’ll try not to signal to [employee] that we’re going to have this tough conversation so they have time to [transmit sensitive files],” he added.
Confiscate company hardware
One problem employers might run into is how to retrieve company hardware from its remote workers.
Taparia said companies should make this process easy. His organization provides a box with a shipping label for the worker to send their items. He also said to guarantee the employee sends hardware back, his organization leverages severance.
“We try to get them a box with a shipping label as fast as possible, and we’ll tell them, ‘We want to give you the severance, but we do need that equipment back as soon as possible. If you want full severance, we need that back ASAP, and we’re going to make it as easy for you as it is possible to put it in the box and put the shipping label on it and just get it back to us,'” Taparia said.
Return in-office items
Since many companies were forced into remote work with COVID-19, employees may still have belongings in the office they need upon termination or departure.
“We told the employee we let go that we’d return their personal items via Fedex when we deemed it safe to return to the office again,” Taparia said.
“If it’s urgent, I still wouldn’t recommend compromising any of your staff to go to the office to return personal items. Right now, risking your health is outside of anyone’s responsibilities,” Taparia added.
Eliminate all digital accounts
The last component to consider is the employee’s various digital accounts. Just because they leave your organization, that doesn’t mean they may not try to access various accounts from personal devices.
“You need to consider all the digital assets they have remote access to as well,” said Finn Faldi, president at TeamViewer Americas, an enterprise remote access and support provider.
“Single-sign on and conditional access tools can provide you with one of the most secure environments to help you manage who gets access to what digital assets,” Faldi said. “If you have these tools in place as part of your remote connectivity solution, you can turn off all access to all company systems in real time as individual employees are off-boarded.”
Additionally, organizations that have an IAM program in place can easily revoke employee access to critical business data and assets, from anywhere, Kothanath added.