What happens to your ex-employees digital footprint when they leave?
Your organisation’s offboarding checklist is probably MORE important than your onboarding checklist!
21st-century working invariably involves a lot of digital activity. A new starter needs an email account, and logins to the core systems that they need to access to be productive, interact and do the job they were hired to do.
You may well have an onboarding procedure which aims to ensure that they have everything they need on the day they start, but what about the day they leave?
The accounts, logins and systems they use belong to your business, not the employee. I don’t just mean switching off the email account and asking for their work mobile phone and office keys.
When you think for a moment about the possible accounts they have access to it becomes a clear risk to the business if there isn’t a comprehensive offboarding process in place. For example, an ex-employee could start sending nasty emails to the rest of the company or, worse, your clients. If they still have access to your data, they could try to delete it or even steal it for their own use. (We have seen this happen!)
20% of surveyed businesses have experienced a data breach connected to a former employee.
An offboarding checklist should be a comprehensive list of every work-based account, login or system they have and an action that closes any cyber-loophole.
It may be as simple as deleting an account or it may be as simple as a password reset. The list below is a quick checklist that can help you to close these potential issues before they arise.
The Digital Offboarding Checklist
It’s amazing how many company processes are NOT documented but just live inside people’s heads. This could be a basic “what we use to schedule social media posts” or CRM best practices.
Don’t lose that vital information! As part of any leaving/exit process, be sure to get the leaver to undertake a knowledge “download”. Even better would be to have a set of standard operating procedures that your whole company commit to updating as part of their normal working practices. Again, this minimises the chance of a knowledge “drain”.
1. Social media
Create a social media account register. This could be a spreadsheet – itemising every single work social account, what the login details are and who has access to this password. Check they are ALL work accounts and not the leaver’s personal Facebook account. Things could get a bit sticky if they are not company owned!
Remember – your social media accounts aren’t simply company intellectual property, they are public-facing windows into your business. Make sure you are always in control!
2. Create an account register for all apps and systems the person uses at work
Without having a comprehensive list of all the accounts, you will only be guessing if you have “closed all the doors”. This kind of register can also be stored in an electronic document.
Also, as part of the leaving process ask the leaver if they use any personal accounts to store or save work data. They may not realise that this is a potential security issue. It may be advisable to check the user’s device for cloud-based apps that your company does not use. For example, if your company doesn’t share work data in Dropbox and you find Dropbox installed on the leaver’s device – check if work data is sitting in the Dropbox folder! (They may not even realise it’s there!)
3. Change the leaver’s email password
I think most people know that changing the email password is a no-brainer. If you use a collaborative work system such as Microsoft 365 or Google Workspace this account is MUCH more than email. All your work data, chats and other assets are accessed with the same account.
4. Change all business app passwords
By changing all business app passwords, especially cloud-based – the user simply cannot log in. Your team may occasionally log in to one of these on a personal device (even though they know they shouldn’t) and rather than find out after the damage is done, just close the door.
5. Ensure all work devices are returned to the business
Especially with remote working being commonplace, get your leaver to bring back any tech to the office before they leave. It belongs to your company and may have sensitive data on it. Imagine if the device was sold on and a cyber criminal accessed the data.
6. Recover data on employee personal devices
Many companies use a bring your own device (BYOD) policy. It saves them money, but this can make offboarding more difficult.
You need to ensure you’ve captured all company data on those devices. If you don’t already have a backup policy in place for this, now is a good time to create one.
7. Move data from the leaver’s account and delete the account
It might be tempting to leave the old account live “just-in-case” but this poses a cyber-risk (an unmonitored dormant account with lots of data is a hacker’s dream!) And also, may add a subscription cost that you don’t need to be paying.
8. Don’t forget physical access!
Make sure you gather any keys, and fobs as they leave and if possible, change any door access codes.
Do you need help reducing these risks? Having a proactive process in place that is systemised and part of your business will significantly reduce the risks to your business. Download our helpful checklist here and let us know if you need any help implementing your offboarding process.