How Proper Offboarding Can Help Prevent Data Breaches

​Shortly after she was fired from her job at the City of New Haven recently, a Connecticut woman reportedly snuck back into her former office, copied data onto her personal thumb drive and erased the private health records of 587 people from a government database.

This happened years after an employee terminated from Omega Engineering Inc. deleted all of the company's programs, which cost the Bridgeport, N.J., organization $10 million in contracts and sales.

In this digital age, where data breaches happen mostly online, these examples serve as reminders to HR professionals why policies should be in place to safeguard data not just physically but also virtually.

In the newly released 2017 Cost of Data Breach Study, conducted by IBM Security and the Ponemon Institute, malicious insiders or criminals caused 47 percent of all breaches. "The average cost per record to resolve such an attack was $156," the report revealed. "In contrast, system glitches cost $128 per record and human error or negligence is $126 per record."

Despite this, fewer than half of in-house counsel (45 percent) said their organizations require employees to take training on how to prevent cybersecurity breaches, according to the Association of Corporate Counsel (ACC) Foundation.

"HR has a tremendous opportunity" to educate employees about good cybersecurity habits, said Amar Sarwal, vice president and chief legal strategist for the ACC, in an interview with SHRM Online.

That includes providing guidance about both online and offline behavior, experts said.

Increased Access

"You have to have the right governance in place to make sure [departing employees] can't get into" computer files, said Alvaro Hoyas, chief information security officer at One Login, an identity and access management software company based in San Francisco.

"The challenge is that there are so many places where access is granted to an individual in every company. It's a bigger problem now," he told SHRM Online in a phone interview.
And Hoyas' warning doesn't apply just to disgruntled employees who can physically enter an office to commit crimes against a former employer.

"We need to move beyond having a key card or simply taking away people's keys," Hoyas added. "That's not effective nowadays because we have a very mobile workforce." Employees use mobile phones, work remotely on laptops, and log in to company systems from their own computers through shared drives or the cloud.

"You need to manage your employees wherever they exist and wherever they log in from," he said. "Users log in from home, from their office and they can log into apps and e-mails from their own devices. Most of the time companies aren't paying for people's cellphones," he pointed out.

Employers should keep that in mind when an employee leaves and they must cut off access to his or her computer, Hoyas said.

Offboarding Best Practices

The first step, he and other experts said, is to know what employees have access to. That information should be available before an employee's access to computer systems is terminated.

Other steps include:

• Deactivating employees' access to computers in a timely manner. IT and HR need
  
  to communicate, Hoyas said. For instance, if someone is terminated through an HR platform like Workday, UltiPro, ADP or Namely, these platforms make it easier for HR to notify IT that a firing has occurred, and IT can more quickly terminate access to all internal computer systems and collect laptops, key cards, token generators and other devices that might authenticate an end-user and let them connect to the network.
  
  "From there, they can't try to get to a common shared directory," he said. "It should be a streamlined process initiated by HR, and then IT should collect their devices."
• Making sure that, if they own files in a file-sharing system, those files are transferred to someone else.
  
  "Have a clear cleanup process," Hoyas said. "So, if this person is in charge of XYZ, know who is going to take over their files or relationships or e-mails." He said HR and IT should have a policy declaring what happens in the event of termination and resignations. For example, when a person is offboarded, are his or her e-mails forwarded to someone else in the company or "are you going to shut it down or send an autoreply that this person is no longer with the company?"
  
  One of the most important things is to make sure "all parties that are relevant to this whole process are in sync," he said. "Managers, HR and IT need to clearly communicate procedures and expectations so nothing falls through the cracks."
  
  

Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.