Employee Offboarding: 5 Security Guidelines for a Remote Workplace

Sreenidhe S.P

15th February, 2022


Taking a company's security into consideration, proper offboarding helps IT teams verify the confidentiality of the organization's data. Deprovisioning has to be a simultaneous process along with the other exit processes, such as exit interview, sendoff meeting, and knowledge transfer—to avoid any data breaches induced by ex-employees.

We have seen many cases a salesperson leaves the organization and still has access to the CRM system and visibility to all the deals. So you can imagine how detrimental it can be to your organization when they go and join the competitors.

Like onboarding, proper offboarding is also an important and detailed process an organization needs to follow for a conflict-free end to the professional relationship with the leaving employee.

The IT team needs to cancel the employee's access to all the SaaS apps and other official accounts and sign the offboarding disclosures when quitting the organization. 

Taking a company's security into consideration, offboarding helps the IT team to confirm the confidentiality of the organization's data. Senior-level employees can have access to financial, legal, and intellectual property rights data. Therefore, the sooner the access is terminated, the safer it is for the company.

Deprovisioning has to be a simultaneous process along with the other exit processes, such as paperwork, exit interview, sendoff meeting, and such to avoid unnecessary access to the company’s network. 

According to a OneLogin report, “32% of companies reported taking more than a week to deprovision employees from SaaS apps who have left.” Also, “failure to deprovision employees from corporate applications contributed to a data breach at their organization.”

Here is an employee offboarding checklist your IT team can adhere to when an employee is leaving the company.

5 Security Guidelines for an IT Offboarding Checklist

7 Security Guidelines for an IT Offboarding Checklist

These seven security guidelines focus on the SaaS application security of an organization and discuss asset recovery, password resetting, data management, etc. Let’s look at them one by one.

1. Recover Company Assets: A System-of-Record is a Must for Offboarding to Take Place Properly, Each Time

Almost all employees use some kind of the company's services and assets in today's remote working system. For example, they may be provided with laptops, desktops, mobile phones, SaaS subscriptions, and access to the company's confidential data.

When an employee is to leave the job, it is vital to surrender all the given assets and equipment. The IT team needs to verify that all the assets have been collected. 

Though many companies keep a list of hardware assets and to whom they have been given, that is not true for software subscriptions. Even if they are keeping an inventory of SaaS subscriptions, it is done in google sheets/Excels, Airtable, etc. This way of managing SaaS has many challenges

For example, you need to update the apps and licenses details every time there is a change in existing licenses, or a new app is purchased. Not only it is very time-consuming, but these sheets also have a lot of errors. Further, many tasks are not possible, like managing access permissions. 

So, IT teams have to keep a record of the software assets and their current holder. This is to avoid the loss of the company's belongings resultant data breaches. 

Hence, there are two important processes to be followed: consolidate and automate the termination process. 

Offboarding requires multiple tasks to go in parallel. Different departments, like HR, IT teams, etc., are involved in the process, and it requires these departments to work in sync. Consolidating the termination process facilitate a smooth transfer of responsibilities and data: 

To automate the offboarding, you need to first visualize the offboarding workflow. Then various tools, such as Zluri, can be used to notify the respective teams to do their part so that things can go in parallel or series as per your workflow. Besides saving time and effort, automating offboarding can protect your organization from insider security threats. 

2. Fortify Shared Applications and Update Applications’ Ownership

The next step to follow during offboarding is to change the system and application’s ownership and password used by the ex-employee.

This process helps to avoid data breaches and any damage to the organization's security and business. It is necessary to change the shared account’s password as all the team members would have been given access to the data. So, when one of the members leaves the job, the IT team should be intimated to change the shared account's password.

Note: Sharing account passwords within teams is definitely not recommended due to the security risks involved. Every user must have a separate account.

Finally, it is important to forward the ex-employee's email address to make other contacts/employees know the person's exit through an automatic reply and that a new employee will carry forward the role.

3. Backup the Data to Facilitates Smooth Transfer of Data and Responsibilities

Backup the Data to Facilitates Smooth Transfer of Data and Responsibilities

Data is a treasure for any organization. Therefore, keeping a backup of data in all the subscriptions accounts during offboarding is a must—at least for some time until the role has been replaced by a new joiner—to avoid data loss, knowledge transfer, and security reasons.

Here, an important point to consider is you need to be aware of all the SaaS apps the employee was using as most of the data resides in these apps. 

Today, employees sign up for 100s of SaaS apps to automate tasks and improve their productivity. When the IT teams are unaware of apps the employees are using; it seems like an impossible (almost) task. 

To overcome this issue, IT teams can use shadow IT discovery tools, like Zluri. Zluri's discovery engine comprises five methods to discover all the apps used in the organization with 100 percent accuracy at a user level. Discover all the apps with 100 percent accuracy.

Furthermore, with Zluri, you get purpose-built data migration features. For example, when terminating the user's Google account, the automation workflow in Zluri can take a backup of the account data and push it to AWS and store it there. 

4. Suspend Employee Licenses and Revoke System Access from SSO 

Suspend Employee Licenses and Revoke System Access from SSO

The organization has to pay attention to the suspension of the licenses that their ex-employees were given. When an employee leaves the job, and the company does not notice the SaaS and other official account accesses the person held, they will be paying for those unused accounts.

Such unnecessary expenses account for the invisible loss of the organization. Also, closing and deleting the account shall not sign off the account renewal; rather, the licenses have to be reclaimed immediately. This process will thwart the former employee from using the account for personal use or any malicious intention.

So, when employees leave the company, you need to disable these as most of them are used to Zoom, Google Teams, etc., for their official meetings, so neglecting these accesses might be risky at times.

The next most important step in an employee offboarding process is revoking system access of an ex-employee from IdP (Identity Provider), SSO (Single Sign-On), and SMP. Removing individuals' accounts will help your organization to re-assign their licenses. 

When it comes to deprovisioning, Zluri does the best job in the market. If you want to understand in detail how deprovisioning works, read this post: Deprovisioning: SSOs vs. Zluri.  Here's a summary of the post:

Deprovisioning via Zluri can be done with ease with a few clicks. The process takes place in the following four steps:

  1. First, we revoke the authentication from all the devices. So, if a user is signed in on three devices, the user can't access the app from any of these devices.

  2. Then, we transfer the data to another user or take a backup of the data. So, no data loss happens even though revoking the access is so easy from the admin perspective.

  3. Further, Zluri returns to the application and removes the user.

  4. Finally, we remove the signal sign-on and identity providers as well.

During deprovisioning, Zluri doesn't stop at SSO level authorization. It monitors the usage of the SSO system as well. For example, it monitors users for which apps they have access to, what level of permissions they have for the apps, their sign-in logs, audit logs, and access logs. If a user still has access to any app or has not been removed (in rare cases), Zluri alerts you that the user can still use the application. 

The next step in the onboarding process is to disable the remote access of the offboarding employee, such as VPN, remote desktop, etc. 

5. Disable the Employee’s Phone/Voicemail Account, if Any

Finally, make sure to remove the telephonic or voicemail account of the offboarding employee if they were assigned with any. 

Moreover, the IT team has to take care of the official contact details if shared outside the organization, so all the communications can go on smoothly. In the absence of a response from the person, the other party may try to reach their personal contact numbers, which can cause problems. 

To avoid such incidents, the voicemail passwords and messages must be changed and attended to by another person.

We have seen many cases a salesperson leaves the organization and still has access to the CRM system and visibility to all the deals. So you can imagine how detrimental it can be to your organization when they go and join the competitors.

Book a Demo

Table of contents

Discover shadow IT, optimize spends and govern user access in one platform.

Related Blogs

See More