Employees retiring or leaving for new pastures is nothing new, however as companies and technology have grown, the amount of systems and data that employees have access to has increased. Consequently, exiting staff can be considered a security risk both in terms of Cyber Security and GDPR compliance. Having a simple IT security checklist as part of your HR Employee Exit Strategy can address a significant number of potential concerns.
Communication
Tell your IT team, onsite and offsite. Sounds simple, but giving your IT team as much notice as possible allows them to plan, schedule in, and cross check system information to ensure as smooth and secure an exit as possible. Obviously, if the staff member is being dismissed or has an immediate exit date then your IT Department will execute an immediate lock out. Should the staff member be working a notice period it may be decided to limit access to some systems during that time.
Remove access to all email addresses used by the employee by updating passwords and ensuring the accounts can no longer be accessed via their mobile devices. Their email account is likely to contain information the company needs so until this is assessed it is unwise to just delete the account. Additionally, depending on the position of the person in question, they may be contacted by customers or suppliers, so setting up either an auto forward or email box monitoring is a wise move. Removing the email from internal groups and distribution lists will lessen traffic and unwanted emails.
Change social media and website passwords
Did the staff member have access to social media or website passwords? Are the passwords the same as other systems? Social media is a powerful tool and your website is a valuable asset, access should be protected. If in any doubt, change the passwords for the social media and website accounts. Remind the exiting staff member to update profiles such as LinkedIn to ensure they accurately reflect their association with your business.
Remove access to all systems
From databases to quoting systems make sure that all of the permissions have been removed. Do you have a list of all internal systems and who has access to which? Time for an audit of system users?
Don't forget cloud storage
Does your firm use cloud storage? Have any folders granted access to non-company email addresses in an emergency or in breach of company policy? Be it Google Drives, iCloud or Dropbox for Business, it is time to check permissions and revoke folder access. Has the staff member used their personal devices for business purposes? These will need to be checked and cleared.
Personal storage of documents
Whilst your GDPR and Cyber Security process should prohibit the storage of company files on personal devices and private cloud drives, ask the question. Get any files copied and transferred to a safe company place and delete the originals.
Company equipment
We would advise companies to have a register of all allocated assets to ensure that devices can be associated with staff members at all times. They are a useful reference to ensure that all company equipment, from laptops and peripherals through to mobile phones, are returned securely at the end of employment.
Passwords
Sometimes company passwords are not kept as securely as they should be, or there could be a culture of sharing system passwords. Aside from recommending this procedure changes as a matter of urgency, if you have an employee exiting, we would recommend changing passwords on any such system.
Bank accounts and authorities
Depending on the position of the employee they may have access to bank account details, credit card details or have access to government portals. Steps should be taken to remove access and protect accounts.
About LP Networks
Working across the UK, LP Networks understand the technology and data security needs for businesses of all sizes, across all industries. Our team’s extensive experience means that we are able to deliver fast response times, resolving our clients’ IT issues and requirements quickly and professionally. If you would like to speak to us about your IT needs please call us on 0800 970 8980 or email us on enquires@lpnetworks.com.