Goodbyes are difficult, IT offboarding processes make them harder

When employees, contractors and service providers leave an organization, they take with them knowledge, capabilities, and professional achievements. They should leave behind any proprietary or confidential data belonging to the organization, but Osterman Research found that 69% of organizations polled have suffered a loss of data or knowledge upon the departure of an employee.

This alarming finding points to a severe gap in one of the most sensitive, challenging and potentially dangerous stages of the employee lifecycle: the offboarding process.

Following the identity trail is difficult

Existing offboarding processes are comprised of two very important, but inherently conflicting goals: ensuring access for business continuity and terminating access to maintain data integrity as demanded by compliance regulations.

The offboarding business processes used to navigate between these conflicting goals make matters worse, because they are neither standardized, automated nor easily monitored. Often security and identity teams don’t know what the employee accessed, why, using what identity and for what duration of time, and most importantly – if any company data was used or jeopardized in the process. They then require time and resources to uncover and decipher the employee identity trail, while business processes suffer in the interim.

A painful but necessary process which needs improvement

As it stands today, the offboarding process is viewed as an interrupter and obstructor of business continuity.

To ensure that the business continues even though the employee is gone, stale accounts are created with grace periods during which the employee’s credentials can still be used to access the organization’s networks. This is great for retaining the knowledge this employee accumulated and ensuring that their replacement is well-briefed, but since the employee is gone, nobody will remember to monitor their account, as malicious actors will soon notice.

This employee may also have been forwarding emails to their personal email account or accessing their work email from personal devices for business purposes, making it easier for hackers to obtain sensitive company data and impossible for the organization to know.

Existing offboarding processes may frustrate business executives due to their rigidity – and they aren’t alone in their annoyance. What’s bad for security is also, inevitably, bad for business. Security teams today must manually ensure that all access privileges, including access to various systems, applications, databases and physical facilities, be promptly terminated. These teams may also undertake manual user access reviews, which are sporadic, lack critical business context and may impede business operations.

These are complex and tedious processes that are prone to human error, especially in large organizations with multiple systems and a high number of access points. Failure to terminate access effectively can lead to potential security breaches or unauthorized access to sensitive information.

It’s the ones you can’t see

During their time at an organization, employees may have created numerous accounts and used various credentials across different platforms and systems.

Another exacerbating factor is that not all these accounts and users are actual employees. The riskiest identities are often those with multiple users, external contractors or other anomalous entities that are forgotten, untracked and often overlooked. For proper offboarding, each of these accounts needs to be identified, reviewed and deactivated or transferred to another user, depending on the circumstances.

Locating and de-provisioning all employee accounts can be challenging, particularly when employees have used more than one digital identity.

Streamlining offboarding will streamline business

To make the offboarding process a little less painful, organizations should:

• Establish well-defined, automated and adaptable offboarding procedures that move beyond checklists, and drive strong collaboration between HR, IT and security teams.
• Ensure visibility into the organization’s entire slew of identities and users at any given time. This will help ensure that all identities and entities are seen and managed, even after they leave.
• Implement automatic, ongoing audits, employee education about data security policies and dedicated identity solutions to help mitigate the risks associated with offboarding employees from an identity security perspective and ensure that business can continue safely, securely and efficiently.