When an employee leaves an organisation, voluntarily or not, it’s not uncommon for the organisation to forget to remove their access to systems and accounts. In fact, recent research has found that only 24% of companies follow strict post-employment processes to ensure that employees no longer have access to company-sensitive information once they have left.
An ex-employee with access to corporate information can be very dangerous.
If, for example, someone in sales decides another organisation can offer them a better deal, it’s important that you do your best to ensure they don’t take their clients with them.
If a member of the IT team is dismissed, then there’s the risk that they log into your systems in the future and move a few things around, or, worse, delete everything.
If someone in marketing leaves but access to social media accounts remains the same, then damaging updates could be sent out.
None of these examples are new; they’ve happened a countless number of times.
Whose responsibility is it to remove access?
Depending on what needs to be removed or changed, the responsibility will lie with several people. In most cases the majority of the responsibility will sit with HR. I struggle to see a scenario where HR wouldn’t be aware of an employee leaving, but it’s not uncommon for someone to leave and IT having no knowledge of it.
HR should be responsible for letting those who need to know of an employee’s departure aware of the situation, and then the user termination process needs to kick in.
It’s no good just saying that a certain person or business area is responsible, though: you need to have a process in place that will ensure that those who need to know about a departure are informed and are able to do what’s needed.
ISO 27001, the best-practice specification for an information security management system, looks at user termination, and covers the return of assets and the removal of access rights.
Exit interviews are regarded as best practice and can be useful for information gathering as employees leaving the company may feel they have “less to lose” by disclosing information if they are leaving anyway.
One of the most reliable and simple ways of reducing the risk to an acceptable level is through business process automation, this way, no-one needs to DO anything, the systems in place do it for them.
To give an example, HR are responsible for ensuring employees get paid on time, therefore, if an employee is leaving the organisation, HR will be informed to ensure that Payroll is correctly processed and documents such as P45’s etc are produced, it is therefore safe to assume that the HR system will be updated with the leaver’s end of employment date, this can be automatically sent to the Identity and Access Management system, usually something like Microsoft Active Directory or another LDAP system to close down the user’s logon account, preventing inadvertant access to sensitive information, this same trigger can also be sent to the Access Control System to terminate physical access to the building in a single step.
The above example is a very simple one, but very few companies have this level of automation in place, despite having all the individual pieces of technology, knowledge and resource to achieve it.
Excellent post! You are absolutely correct in that HR must communicate with IT departments to ensure employee access is cut off before companies run into problems. Then you have to worry about knowledge gained by former employees and how they can exploit such knowledge in the future, which is another bag of worms.
Agree with comments above. Unless you are a small/medium size company and have effective User Access management processes in place, Business process automation with effective interfaces with HR systems is the best way to minimize any potential risks.
Of course, business management education should also play a key part in ensuring local business processes are effective and working as it should be at all times.
Ideally, a local business security champion should be identified with delegated responsibility for education and auditing the effectiveness of implemented processes in the business.
Sure companies tend to have all the technologies, knowledge and resources.. But, sometimes also ‘fall over’ because Ownership responsibilities are not clearly defined within the business and IT.
Good post !! Actually the problem is peoples don’t have security awareness, they don’t know how these things matter a lot. Most of the companies/organizations don’t have policies, procedures so they can’t cater their companies risks. IT companies should apply best practices and yes 27001 ISO is very effective. I’m doing research in this area “Role of Information Security Awareness and Knowledge Sharing in IT sector ” I’m trying my best to give good output.
With the current national and international regulatory environment as a backdrop, contracted and in-house HR has become de rigueur for even moderately sized organizations. This puts HR at a distinct disadvantage in terms of making informed off-boarding decisions affecting access to company information resources. Department heads have people working for them that came from another group or were hired by someone else, contractors that answer to other parties, and so on. An HR staffer I know if recently left a fairly large organization and was found to have been accessing company databases after being off-boarded, by the HR team s/he worked for; I’m not sure you can make this stuff up.
Exit interviews are a weak and unreliable mechanism wherever and whenever an exiting employee or contractor is [naturally] unprepared to inventory their permissions and access to assets under the stress of just such an interview, or has malicious intent.
Comprehensive identity management rises to the surface as the only believable instrument that represents due care, while giving management a fighting chance at the consistent, effective closure of front, back, and side doors when someone moves on.
The specific business unit should initiate the off-boarding process. That should trigger an out processing step at HR. An employee has physical access just as they would have access to computer systems and company data. The more complex the organization the more critical it becomes to ensure an employee is removed from all touch points within an organization. The best way to do that is a comprehensive on-boarding and off-boarding checklist that starts with HR (after business unit notification) and ends with HR after making all the rounds within the organization that manages or controls those touch points. Sound policy and procedures are key to success! As for the best practice of conducting and exit interview, I agree however, all employees do not leave an organization on a friendly basis!
Good Post. irrespective of the size and complexity of the organization, it is prudent to have the roles and responsibilities clearly identified and communicated to all the stakeholders. As an ongoing process, the process implementation effectiveness mechanism to be established to gauge the controls implemented, through reviews, assessments (self; internal; cross functional).
Interesting thread and one that highlights the issue many organisations struggle with – accountability. Of course HR have a role to play in this, as do IT given their responsibility for network security, but the units most likely to be “hurt” by this will be the business unit and the technical discipline. An exit process should involve all parties/stakeholders and review all of the exposures and actions necessary to minimise the risk.