'Offboarding somebody is not just a HR responsibility, it's a responsibility for all the different divisions of the business'
Once an employment relationship has ended and HR says goodbye to a worker, there are critical steps that need to be followed to ensure important company data is safeguarded, says a security expert.
“If you leave the employee either with a device that has data on it or they’ve got data on a personal device that they’ve been using whilst in your employment [that’s not good], and given the issues of the last 18 months with remote working and such, there’s a strong possibility of an employee taking data with them,” says Tony Anscombe, chief security evangelist at ESET in Half Moon Bay, Calif.
With the onset of COVID and many employees working from home, corporate data has been dispersed on a “much wider scale,” which brings new risks to IT departments, he says.
While cyber crime is rampant these days, nearly four in 10 Canadians say they don't receive any cybersecurity training at work, according to a recent survey.
Policies key to data security
A first step in getting in line with data and property protection is to create a policy, says Anscombe.
“When the employee joins the company, every employee should understand what is company policy on use of data and how that data is managed, and how it shouldn’t be removed from a company device or how it shouldn’t be sent to a personal email or anything like that. There should be a strict policy that lays down that law and every employee should be given a copy of that policy, and preferably run through by somebody on what’s in it, what’s expected of them.”
To help prevent data leakage, installing data monitoring software is a prudent idea, according to Anscombe.
“Continuous monitoring should maybe include things like data leakage prevention technology, where if patterns of data are seen to be leaving the organization’s network, that actually the company is blocking that but also being made aware that an employee might be — it may not have been for malicious reasons — making a mistake and sending something to another device or to another email account.”
Once that is done and reported, institute a penalty to that employee so the workforce is aware it is potentially a strong concern, he says.
“The employee must understand that a breach of policy is a serious issue for the company because it could easily put you in harm’s way of a regulator, certainly if it includes personal data, and a company should make sure that the employee understands that the full force of the policy will come back on them as well.”
Canadian HR Reporter has also spoken with experts for five basic tips for effective cybersecurity.
Great resignation headaches
The so-called great resignation has also seen a glut of offboarding, which causes more worries for HR.
“You’re now seeing a significant increase in the number of people actually resigning, which is probably putting additional strain on HR departments and IT departments. If you’ve got a big workforce and suddenly you’ve got 10 per cent of that workforce who needs to be offboarded, you need to offload them in the same timescale you would have done normally,” he says.
For IT departments, it’s important to scrub clean any machines, such as personal cellphones, that aren’t being returned, he says.
“Don’t leave it to the employee to take the data off because we know — I’ve got apps on my phone that I should have deleted — we’re not very good at cleaning up the devices. You go to a conference, there’s a specific conference app and a year later, you realize you’ve still got the app on your device. So, don’t leave it to an employee… make sure an IT person is part of the exit interview and actually removes the data as part of that exit interview,” says Anscombe.
For HR departments, they should ensure “all the different divisions of the business are actually fully notified that someone is leaving and they all understand what that what part they play in the process,” says Anscombe.
“Offboarding [somebody] is not just a HR responsibility, it’s a responsibility for all the different divisions of the business.”
While it may seem like a no-brainer, 43 per cent of organizations in the U.K. don’t have a policy that forbids staff from taking data with them when they leave, he says.
“The company might not actually endorse an employee taking it but they don’t actually have a policy that forbids it.”
Disallowing access to company property was also neglected in many cases, as only 47 per cent of companies actually revoked building access as part of the offboarding process, says Anscombe, “which is somewhat shocking.”