Unearth offboarding risks before your employees say goodbye

Saying goodbye is never easy. That’s especially true when it comes to employee offboarding – but not due to sentimentality. In our increasingly digital workplace, offboarding interns, contractors or full-time employees too often ends up with them still having access to some applications and sensitive information after they leave companies.


Our research has found that 76% of IT leaders believe offboarding is a significant security risk for their organization. Why? Because there are too many unknowns and complexities.

The complexities stem from the radical differences in how we work today compared to a couple of years ago. While remote and hybrid work have added risk, the primary negative ramifications stem from one specific factor: the decentralized adoption and management of Software-as-a-Service offerings (i.e., cloud applications).

Decentralization muddies IT visibility

SaaS applications have upgraded the way we work, and many have become integral to our processes. From project management and CRM solutions to design, office productivity, and expense tools, most cloud applications are easy for anyone to acquire and implement – you only require a company email address to get started.

Torii’s customer data shows that most organizations are now adding 15-20 new apps each month. App ownership is scattered throughout companies. Individuals provision as needed and decide who to give access to.

The issue? No one is telling IT when they add a new app to the stack or a new user to the app. That means that when the time comes for offboarding, complete deprovisioning seldom occurs.

As organizations continue to complicate their SaaS stacks, IT is continuously left in the dark. It becomes impossible to keep track of what applications are being used at their organization and by whom. That creates shadow IT: apps outside of IT’s purview, essentially creating a secondary SaaS stack. That secondary stack is unchecked, and more importantly, unsecured.

IT’s ability to act on security risk is dependent on visibility. It’s impossible to secure what you can’t see. That makes decentralized SaaS application adoption a legitimate security blind spot.

Some shadow IT applications accumulate sensitive company information with time. Others integrate with business-critical apps such as Salesforce, which carry sensitive data.

Intellectual property existing outside of IT’s purview is inherently risk-filled, but the velocity of that risk increases when employees depart your company.

Shadow IT creates a porous offboarding experience

IT must ensure that former employees are no longer able to access sensitive company information.

If they do, they could accidentally gain access to an application and proprietary data through browser-saved credentials. In a worst-case scenario, though, a bad actor could purposefully gain access to sales, product, or customer data.

While IT departments do their best to manually track down the applications an employee was using, it can quickly turn into a game of telephone. And, in the case of sudden departures, that just doesn’t cut it. Reaching out to a former employee’s teammates or manager after the fact is unreliable, leaving a serious risk-gap for every former employee. That risk grows if IT isn’t even aware of the employees’ departure.

Plus, this method is very time-consuming for an IT team, especially if more employees are departing at the same time (e.g., when a group of seasonal interns finishes their program at the organization).

Strategizing for decentralized SaaS

Organizations need to have a comprehensive offboarding strategy that deprovisions users from sanctioned AND unsanctioned applications.

1. Visibility: It starts with providing IT complete visibility into company-wide SaaS application usage. Sanctioned applications may be easy enough to cut off through tools like Single-Sign-On (SSO) systems. Those that aren’t included in SSO (because they fall under shadow IT) are another story.

IT can only help if they’re able to better visualize the true SaaS stack of their organization. That means illuminating shadow IT.

By arming IT with tools that discover and surface shadow IT, offboarding can transition from a game of hide and seek to an auto-curated list of applications that need deprovisioning for specific people. Tools like SaaS management platforms make that easier.

2. Action: From there, IT leaders should look to leverage automation to lighten the load and reduce the chance of people and apps falling through the cracks. Our data suggests that many employees have at least 30 applications that require revoked access upon their departure. But how do you discover that if they’ve already left?

IT leaders can use solutions that integrate with HR systems and automatically notify their team of employee departures or role changes. That level of information transparency, combined with smart automation that automatically deprovisions employees from all applications, can create a seamless offboarding process that’s never a step behind (and never out of the loop).

IT needs to do everything they can to eliminate blind spots when it comes to security, beginning with acknowledging the risk that decentralized SaaS has created. With the proper offboarding strategy and the right tools, they can deprovision users automatically, on time, with nothing falling through the cracks. And – in doing so – worry less about former coworkers turning into cyber threats.

More about

Don't miss