Skip to main content
Cybersecurity Policies When It's Time To Say

Having to fire someone is seldom fun. Or perhaps an employee has decided to move on or retire. Whatever the cause, you should have a cybersecurity policy in place to immediately respond to an individual's termination of employment.

When someone is leaving your organization, you may have advance notice, or you could be in a situation where you need to react immediately. Whether the individual is being feted in a farewell that involves cake or he or she is escorted to a cubicle to quickly fill a cardboard box with possessions, it's important to consider the cybersecurity implications of this relationship's end.

When considering employee termination from an IT perspective, be aware:

  • People can be an asset in maintaining effective security.
  • They can pose a great threat to data security and confidentiality.
  • Terminated employees in particular may jeopardize cybersecurity if they are dissatisfied with their employment or termination.

Even employees who voluntarily separate from your organization can endanger corporate data or personally-identifying information. In 2016, the Federal Deposit Insurance Corp. (FDIC) acknowledged an employee departed its agency with a storage device containing data and information relating to 44,000 customers.

The employee had "inadvertently and without malicious intent" downloaded sensitive data onto a personal storage device. The breach was apparently innocent and had little impact beyond reputation damage; the former employee returned the storage device, signed an affidavit the information wasn't used. Yet the download wasn't discovered for three days—that's a lot of time for something bad to happen.

Precautions Your Organization Should Take

There are several important steps to take in securing your organization's data, systems, network, and more.

1. Notify IT

Department managers or employee supervisors must notify IT immediately of any employee terminations or endings of contractor or vendor relationships. The IT team must know to revoke access to the premises or networks and systems for any individual who no longer has cause to be onsite or using your information systems.

2. Revoke access

The terminated user's ID and password, keycard, and other security clearances ought to be revoked effective immediately upon the separation. This also means taking back keys, parking passes, and electronic access badges.


3. Get your stuff back

Retrieve hardware, software, data, access control items, and other documentation that the user might possess. The FDIC example reminds us this includes thumb drives!

4. Verify retrieval

Arrange for an exit briefing with the individual to discuss any security/confidentiality concerns and remind him or her of the continued need to protect data security and continue to abide by any confidentiality agreements.

5. Delete accounts

Confirm the employee's access is terminated on all system accounts such as:

  • VPN/Remote Access
  • Email
  • Network
  • Voicemail system
  • Web-meeting & collaboration accounts
  • Application accounts
  • Financial accounts
  • Company information/data backups
  • Company-owned social media accounts or web properties.

Revoking access for privileged users should also include review of:

  • Database accounts
  • Application level service accounts
  • Accounts with shared passwords
  • Network/Router passwords
  • Generic test accounts
  • Remote access accounts including VPNs, jump boxes or even analog modem connections.

6. Keep records

Track termination procedure steps to confirm their completion and to verify any compliance standards regarding termination security policies.

7. Audit accounts

Don't just walk the individual to the front door with a security escort. Also check your virtual doors for security. Immediately audit the individual's account(s) to detect any confidentiality threats or breaches.

Keep in mind that someone who gives notice will need continued access during their final days. In consultation with IT, the employee's supervisors, and HR, key decision-makers might decide to stagger the taking away of access for the remaining days of employment.

Plan Ahead for A Breach

Any former employees with continued access to your organization's network or data represents a security threat — no matter the terms of their departure or how otherwise nice and honest they may be. Although in a majority of situations, the former employee wouldn't plan to harm your systems or release confidential data, information security can still be compromised — even if your organization dutifully carries out all of the above precautions. This means it's important also to have a response procedure in place.

If your organization detects or suspects a breach, it is important to have a policy in place to:

  • Minimize the frequency and severity of incidents.
  • Provide for early assessment and investigation before crucial evidence is gone.
  • Quickly take remedial actions to stop the breaches, correct the problems, and mitigate damages. Implement measures to prevent recurrence of incidents.
  • Facilitate effective disciplinary actions against offenders.

Additionally, clearly identify the correct information security contact who will be notified to terminate access. Have a strictly enforced procedure outlining this person's responsibilities as far as researching, documenting, and revoking access in a timely fashion.

RedTeam Security supports your organization's security. With application, network, physical premises penetration testing, red teaming services, and consultants in social engineering, our experts can help you understand the true strength and effectiveness of your cybersecurity profiles. Reach out today and let's see how we can work together.

Click To Schedule Your Free Consultation

Get a FREE security evaluation today and reduce your organization's security risk.
Schedule My Call Schedule My Call

Get a Customized Proposal

Use our Scoping Questionnaire to provide us with the necessary information to put together a proposal for you. Please be as thorough as possible with your responses, as it helps us ensure an accurate and complete proposal.
If you're interested in application penetration testing, you may find this article helpful when formulating your responses: Understanding Application Complexity For Penetration Testing.

If you have any questions, contact us at (952) 836-2770 or schedule a meeting. We will follow up promptly once we receive your responses. We look forward to speaking with you soon.

Having trouble viewing the Scoping Questionnaire? Check to see if an ad-blocker is keeping the page from loading properly.

Dedicated Client Portal

Interact in real-time with your RedTeam security professionals on our user-friendly client portal and see firsthand as the team closes in on your company data.

Certified Security Experts

Our trusted security professionals hold certifications from the leading industry organizations, including OSCP, CASS, CPT, CISSP and more.

Research-Focused Approach

We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.

Free Remediation Testing

Once your team addresses remediation recommendations, RedTeam will schedule your retest at no additional charge.
Contact Us