Employee offboarding procedures aren’t currently receiving a great deal of focus from business leaders. How do we know? Just ask Google.
A search for “employee offboarding” yields some 172,000 results, many of which are focused on how to deal with the loss of institutional and experience-based knowledge when an employee departs. The remaining results make employee offboarding appear overly simple by boiling down the process to an “offboarding checklist.”
And an offboarding checklist used to be a perfectly appropriate measure - 15-20 years ago, that is. Remember back when every hardware asset or software tool you used was at the office, on a corporate-issue computer?
No smartphones, no apps, no outside access - what a dream for IT. If staff left voluntarily or were let go, all the company had to do was hand an employee a box for their personal belongings. Maybe an exit interview if they were lucky. Ticking through the items on the checklist could happen after the fact, at IT’s leisure.
News flash: with the increase in mobility for all, business as usual has changed. Employees work remotely at unprecedented rates, using both corporate- and personal-issue devices. Cloud apps make it easier to get their jobs done anywhere, but they’re much harder for IT to track.
The state of employee offboarding is bleak, according to Intermedia’s 2014 Intermedia SMB Rogue Access Study. Here are some of the more distressing findings:
- 89% of those surveyed retained access to Salesforce, PayPal, email, SharePoint or other sensitive corporate apps.
- 45% retained access to ‘confidential’ or ‘highly confidential’ data.
- 49% actually logged into ex-employer accounts after leaving the company.
- 68% admitted to storing work files in personal cloud storage services.”
And possibly the scariest one right here:
- “60% of respondents said they were NOT asked for their cloud logins when they left their companies.
You read that last one right - over half of employees didn’t receive a request for their SaaS platform logins.
And what’s more: the lack of structure and enforcement around employee offboarding has serious consequences. CIO magazine reports that one-fifth of companies surveyed have had data breaches directly attributed to ex-employees.
So what can organizations do to bring these numbers down (and secure themselves in the process)? First, they can start treating employee offboarding like the complex, constantly changing process that it is. Here are our recommendations:
Say Goodbye To Spreadsheets And Checklists.
We know, we know - those spreadsheet listings of assets and process checklists are like your security blanket. But know that they provide you with a false sense of security. Checklists and spreadsheets do not ensure enforcement of IT procedures.
In order to keep track of employees, hardware assets, software assets, and personal device usage, you have to embrace automation. Without automation, the checklist becomes too long and seems insurmountable - and it really is.
70% of survey participants in the CIO magazine report said that it can take an hour to deprovision all of an employee’s accounts, and 50% said it takes more than an entire day to deprovision an employee. That’s way too much time for your IT staff to spend on offboarding.
So how do you automate offboarding? In the case of managing SaaS platforms, it means pulling together all SaaS data (including user accounts) in one platform. This unified platform allows IT to view access for all platforms at one time, rather than logging into each one individually. And IT can configure usage flags for dormant accounts, so the system can proactively tell them when to take action.
Related: Secure SaaS User Accounts
Connect Internal Systems So They Can Do The Grunt Work.
Automation is really wonderful innovation, but it doesn’t work unless all your internal systems talk to each other. If your SaaS management platform needs to know when employees depart, some other system must send it a signal.
Let’s say your ERP is the system of record when an employee departs. That ERP needs to fire off a signal (likely via API call or custom integration) to various business systems - your payroll and expense tools, maybe a hardware asset management system, and your SaaS management platform.
Once your SaaS management platform receives the signal, it can alert IT that John Doe is departing the company on X date. He has 15 licenses across your business’s SaaS platforms that all need to be deactivated or reassigned.
If you’re really lucky, some of your SaaS providers might be able to ingest a signal to deactivate or reassign licenses, saving your staff the time of logging into each platform to decouple each license with the departing employee.
Take a hard look at the entire offboarding process. Where could those connections make your job easier, or remove manual effort from your team or others? These machine-based connections can take the worry off your plate by serving up the necessary action items, without any manual effort.
Create Stringent Compliance Policies - And Follow Them.
So, you’ve done the upfront work of replacing spreadsheets with automation, and figuring out how to connect your internal systems. Both these things will significantly reduce manual effort and errors going forward.
However, in order to really protect your business, you must also decide on a rigorous compliance policy AND enforce it. This includes both the whole employee lifecycle - onboarding, employee tenure, and offboarding.
From an onboarding perspective, think about how you will make new employees aware of compliance policies. What do they need to know upfront about how you engage with SaaS vendors, for instance? Employees using sanctioned SaaS tools need to know the general framework for how SaaS gets approved.
One day, that employee using sanctioned SaaS tools may go off and try something unsanctioned. It’s not ideal, but better for them to know the security framework ahead of time so they’ll be aware.
What about personal device usage? If IT wants to wipe personal devices prior to employee departure, employees need to be made aware ahead of time. Signed verification is a good insurance policy, in case IT gets any pushback when the time comes.
And speaking of personal devices, what’s the policy for personal device usage overall? IT may want to outline what is approved, what’s allowed but not encouraged, and what’s not allowed.
Once a departure is happening, is there a difference between how IT treats employees who leave voluntarily vs. involuntarily? And what about edge cases where the business terminates an employee who uses personal devices for work, but the employee doesn’t have all those devices on his or her person? This is just the tip of the iceberg in terms of defining your compliance policy.
Compliance In Today’s Mobile World Is Complex.
If the figures from the Intermedia study are any indication, corporations large and small are struggling with compliance and offboarding. Headlines about disgruntled ex-employees wreaking havoc should jolt us into action. Without stringent offboarding and compliance, businesses are undoubtedly at risk.