Understand The Who
Any company in business longer than a few months understands the law of hiring: who comes in may one day go out. Employees come and go for many reasons. They may leave for a better opportunity or for family, retire, go back to school, or simply quit out of frustration. More often, employees shift positions within the same company, vacating one role for another opportunity.
- The average person changes jobs 15X during his or her career
- The majority of people stay in one job fewer than 5 years
- 70% of employees say they serve on multiple teams
For HR and IT, managing all of this change is no easy feat. Every job requires employees to use different business applications and authorizations don’t always transfer from job to job (or at least they shouldn’t). It’s critical for HR and IT to always know who is coming and going. Onboarding is tough enough, but offboarding is where the real risk can come. Focusing on offboarding best practices and establishing strict protocols is critical.
One of the most important facts a company can understand about its employees is who they are, including their authorizations and clearances. This is obvious during the offboarding process, but it is equally of value when they are hired and throughout their career at the company. Securing SaaS user accounts is priority number one.
Identify The What
Once you understand who your employees are, you must know to what software they have access. What SaaS apps, including email, Dropbox, Google Drive documents, Salesforce, Gmail, iCloud, WebEx, Office 365 and dozens more, may they have full or partial access?
Many organizations are manually tracking this detailed data, yet struggling to keep up with the constant additions. With every new hire and new app added to the landscape, the spreadsheet expands, errors can be made, updates are slow, and before long, the record is anything but accurate. It’s outdated the minute an employee decides to use a new app they didn’t think IT needed to know about. It’s obsolete as soon as an employee joins a team or leaves the company, completely dependent on someone immediately manually editing the record.
Shadow IT is a big problem. Sometimes, employees use these covert apps after circumventing established procurement policies. Other times, they use them quite innocently without realizing the danger they can bring. It puts organizations at risk both during an employee’s tenure and once they’ve left. It’s not the apps that are the issue: it’s not knowing which apps are out there and who is using them.
Companies must take control of their app usage by first identifying which apps are in use - those reported to IT and under their umbrella of control, such as with single sign on, and shadow IT that isn’t included. Looking at financials to see where app subscriptions may be hiding is a start.
Implement a strict governance policy and consistently communicate their importance so every employee, new and tenured, understands tracking these apps is a big deal. You may have to go back to the basics and clearly define what is considered an app. You may be surprised how little employees really “get it.”
“With any unsanctioned download, users run the risk of contracting a virus on their machine through an unknown program. If employees use their own devices to store company information, there runs a bigger risk of accidental or (hopefully not) intentional information leakage....Additionally, many people are apt to use the same programs at work that they use at home. Checking personal email from time to time or chatting with friends outside of the company doesn’t strike most people as a breach of security - they have no issues when they do it on their own time, so why would it harm them now?” - Monster.com
Track The When and How
It’s not enough to know who is using what. You must also understand when they are using it and how. Do they use apps from their office desktop? A mobile app from a phone or laptop? Are those mobile devices company-issued or BYOD? Are they logging in with single sign-on? What are the protocols for offboarding employees who use these devices?
If a company doesn’t have visibility into who is using what apps on which devices, it’s much like fumbling around in the dark. You know there is probably something out there that can hurt you, but you can’t see it so you don’t know which direction to go. The employees who shift positions or leave the company may be taking sensitive or even confidential customer and proprietary data with them on those devices.
Offboarding isn’t just about communicating their departure, transferring their knowledge to their successor, and updating org charts and company directories. Any offboarding checklist will also tell you to recover company assets and revoke systems access. How will you do that if you don’t know what assets and systems they are using? Many of those “systems” are not on-premise software but in the cloud, often cloud apps you may know nothing about. How do you ensure all access is revoked if you don’t know what work apps they have on their own mobile device?
Is the answer to ban BYOD? Sharply decrease the number of cloud apps they can use? Keep every SaaS app under the single sign-on umbrella? How sustainable and realistic is that?
Cloudy with The Chance of More Clouds
The truth is, cloud apps aren’t going anywhere. Gartner projects the public cloud service market to grow 18 percent this year, with SaaS-specific growth to reach more than 20 percent. Companies must embrace them, like it or not, and bring them into the IT fold. Fortunately, however, there are better tracking mechanisms than spreadsheets or home-built applications. IT can put on night-vision goggles and see what’s really out there.
The key is through automation. The more automated you can make the monitoring and auditing process, the better. Automation brings consistency, efficiency, accuracy and above all else, transparency. After all, that’s what the goal is - to be able to see across the enterprise and answer the who, what, when, where and how at any given time.
The ability to see on a single screen the status of the IT ecosystem, imminent and potential risks, utilization trends and opportunities gives business leaders the one thing they covet most - the capacity to make data-based decisions.How confident are you that the reports you are running now show the whole picture as it is right this second? How sure are you that the employees you recently offboarded took nothing with them that will come back to haunt you?
To truly modernize your offboarding process for today’s mobile and cloud-based world, you must move beyond static spreadsheets. Invest the time to research the latest technology designed specifically to bring visibility and control to this increasingly complex environment.