Having to fire someone is seldom fun. Or perhaps an employee has decided to move on or retire. Whatever the cause, you should have a cybersecurity policy in place to immediately respond to an individual’s termination of employment.
When someone is leaving your organization, you may have advance notice, or you could be in a situation where you need to react immediately. Whether the individual is being feted in a farewell that involves cake or he or she is escorted to a cubicle to quickly fill a cardboard box with possessions, it’s important to consider the cybersecurity implications of this relationship’s end.
When considering employee termination from an IT perspective, be aware:
- People can be an asset in maintaining effective security.
- They can pose a great threat to data security and confidentiality.
- Terminated employees in particular may jeopardize cybersecurity if they are dissatisfied with their employment or termination.
Even employees who voluntarily separate from your organization can endanger corporate data or personally identifying information. In 2016, the Federal Deposit Insurance Corp. (FDIC) acknowledged an employee departed its agency with a storage device containing data and information relating to 44,000 customers.
The employee had “inadvertently and without malicious intent” downloaded sensitive data onto a personal storage device. The breach was apparently innocent and had little impact beyond reputation damage; the former employee returned the storage device, signed an affidavit the information wasn’t used. Yet the download wasn’t discovered for three days—that’s a lot of time for something bad to happen.
Precautions Your Organization Should Take
There are several important steps to take in securing your organization’s data, systems, network, and more.
1. Notify IT.
Department managers or employee supervisors must notify IT immediately of any employee terminations or endings of contractor or vendor relationships. The IT team must know to revoke access to the premises or networks and systems for any individual who no longer has cause to be onsite or using your information systems.
2. Revoke access.
The terminated user’s ID and password, keycard, and other security clearances ought to be revoked effective immediately upon the separation. This also means taking back keys, parking passes, and electronic access badges.
Retrieve hardware, software, data, access control items, and other documentation that the user might possess. The FDIC example reminds us this includes thumb drives!
4. Verify retrieval.
Arrange for an exit briefing with the individual to discuss any security/confidentiality concerns and remind him or her of the continued need to protect data security and continue to abide by any confidentiality agreements.
5. Delete accounts.
Confirm the employee’s access is terminated on all system accounts such as:
- VPN/Remote Access
- Voicemail system
- Web-meeting & collaboration accounts
- Application accounts
- Financial accounts
- Company information/data backups
- Company owned social media accounts or web properties.
Revoking access for privileged users should also include review of:
- Database accounts
- Application level service accounts
- Accounts with shared passwords
- Network/Router passwords
- Generic test accounts
- Remote access accounts including VPNs, jump boxes or even analog modem connections.
6. Keep records.
Track termination procedure steps to confirm their completion and to verify any compliance standards regarding termination security policies.
7. Audit accounts.
Don’t just walk the individual to the front door with a security escort. Also check your virtual doors for security. Immediately audit the individual’s account(s) to detect any confidentiality threats or breaches.
Keep in mind that someone who gives notice will need continued access during their final days. In consultation with IT, the employee’s supervisors, and HR, key decision-makers might decide to stagger the taking away of access for the remaining days of employment.
Plan Ahead for A Breach
Any former employees with continued access to your organization’s network or data represents a security threat — no matter the terms of their departure or how otherwise nice and honest they may be. Although in a majority of situations, the former employee wouldn’t plan to harm your systems or release confidential data, information security can still be compromised — even if your organization dutifully carries out all of the above precautions. This means it’s important also to have a response procedure in place.
If your organization detects or suspects a breach, it is important to have a policy in place to:
- Minimize the frequency and severity of incidents.
- Provide for early assessment and investigation before crucial evidence is gone.
- Quickly take remedial actions to stop the breaches, correct the problems, and mitigate damages. Implement measures to prevent recurrence of incidents.
- Facilitate effective disciplinary actions against offenders.
Additionally, clearly identify the correct information security contact who will be notified to terminate access. Have a strictly enforced procedure outlining this person’s responsibilities as far as researching, documenting, and revoking access in a timely fashion.
RedTeam Security supports your organization’s security. With application, network, physical premises penetration testing, red teaming services, and consultants in social engineering, our experts can help you understand the true strength and effectives of your cybersecurity profiles. Reach out today and let’s see how we can work together.