Closing the barn door when people leave your business
By Laura Haight
It used to be a lot easier. Someone left your company and IT took their computer, turned off their account access, collected their badge and called it done.
Not anymore. There are many more exposures you need to think about and be prepared for.
The first thing you have to wrap your mind around is that there is no difference between a voluntary and involuntary termination. The same procedures should be followed in every instance. Just because someone was a great guy but moved on, does not mean you should be any less concerned about quickly and efficiently stopping his access to company files, online services or equipment.
Here’s a list of steps to take so you are prepared when any employee — from president to clerk — leaves your company.
Physical access security
This used to be easy when outgoing employees just turned in their keys. Today, you may have keys, badges, RFID chips, or even mobile apps. Most connected systems have an online database where you can set access for individuals. Make sure you know which employees have access to the database and remove their access.
Many small companies or non-profits may have one account shared by many people. That means a generic login and shared password. You have no way of knowing how many people could have this account login. Change the password on this account for everyone, if that’s the case.
If you utilize a mobile app to access the building - instead of a card, you need to know if the employee has that app installed on their personal device. Hopefully, your app allows disabling access from an administrative account.
Oh yeah, and take their keys...
Asset inventory
Desktops, laptops, mobile phones, tablets, scanners, portable printers, cameras, oh my. Some remote employees may have equipment at home. Some have company smartphones or tablets. What muddies the waters is when work equipment does double duty as personal devices as well. Contacts are a particular challenge. We don’t have separate contact programs for work, family, or friends. We just have “contacts”.
Yet employees, particularly those involved in sales or marketing, should not be able to walk off with key contacts that you might not have anywhere else. This is a good reason to require employees keep their work smartphone separate from their personal one. Yes, it’s a pain for them. That’s why we call it “work”.
Either way, you have to know what they have in order to get them back. Mobile device management tools from providers or hardware companies (like Apple) should enable you to wipe the devices remotely, but then you have lost the opportunity to capture contacts, emails, proposals or any other work product.
Online services
Again, smaller businesses may be very vulnerable here by having a single shared account. This is not a safe practice. But in the event you do, every time someone leaves the company you should change the password. Don’t try to guess at whether or not this is something they would have ever used, or something that they may want to get into for company information now that they are gone. It is safer and faster to change the password. It’s also a good way to reduce the pool of people who may have access. Provide the password to people you know should have it. That will automatically reduce the number of unauthorized people with access.
Social media
This is one we don’t think about as much. Take a look at your Facebook account under Manage Admins. You might be surprised at who you find is an administrator. It could be someone no longer with your company. It could be someone who filled in once when the marketing staff was tied up but really has no good reason to be an admin. Then think about all your social media (not just those you use). Sure you’ll change the password on Twitter. But what about Instagram, SoundCloud, Storify, Pinterest? Also check your LinkedIn company page and remove anyone no longer in your firm. You can’t control when or even if, the employee will remember to update their own profile. LinkedIn must do this for you. But it’s worth it.
How can you keep track of all this? User management software like Microsoft Exchange or even Google Apps for Business will give you a dashboard to turn off and on many different accesses and set permission levels. But some things — like external online services, physical hardware, etc. — must be maintained separately. An employee spreadsheet or database that keeps all this information in one place will make it easier to work through best practices when someone leaves.
It’s also easier if you reinforce practices like not allowing generic logins or password sharing among your staff. These are often the places where the biggest exposure originate.