How to manage a departing employee’s access to IT

A laptop screen showing "access denied" text on a red background
Access denied (Image credit: Shutterstock)

Jobs for life are a thing of the past. Staff turnover has never been higher, in part because it suits employers to structure contracts that way – but more often because there's a skills shortage. Staff are a valuable asset easily lured away by rivals.

And then what? Do you revoke their access, both physical and digital, to keep them away from your infrastructure and data, or should it be business as usual while they work out their notice? A decision like this can only be made if the organisation has a clear picture of what exactly the employee can access.

"You need a complete understanding of the company assets employees use from their first day," said Fredrik Forslund, one of the part founders of the Blancco Technology Group, whose eponymous product is used by businesses to safely wipe used kit for reuse or sale. "You need an asset management system that tracks the physical assets an employee's using, which can be simple to organise and incredibly helpful when reconciling assets following an employee's departure. Besides that, it's great to know all digital services used, which is easiest to achieve with single sign on. Simple tasks like changing passwords and logging out of online services is an important process that could protect your company from a potential data breach."

"An IT admin requires quick visibility into the scope of who has access to what within the organisation, including internal systems, cloud services and files," said Brandon Shopp, VP of product strategy for security, compliance, and tools at SolarWinds, whose access rights manager software helps IT managers understand what a departing staff member had access to, beyond simply their Active Directory account. "Doing this manually is a time-consuming exercise, so having a tool that audits and provides it to you is an important resource. Before the employee exits the organisation, IT admin should revoke access to any information they don't need to complete their final assignments. Having a product in place to help with this not only provides visibility, but also an audit of changes to your infrastructure to help understand who is making changes and what they are."

Why, where and when?

It also depends on the circumstances under which the employee is leaving. Redundancy requires a period of consultation, during which restricting an employee's right to work – and access to resources – may leave an organisation open to legal repercussions. Should an employee voluntarily hand in their notice, however, the situation is somewhat different.

"If the employee is leaving to go to a competitor, it's still the situation in most cases that once they've handed in their notice they'll probably be leaving that day, so won't continue to have access to the [company's] data – although that's a bit of an outdated concept, to be honest," Shaun Thomson, CEO of Sandler Training told us. "By the time someone puts their hand up and says they're leaving, if they want to take that data, they already have it. They'd be silly to wait until the day after they've handed in their notice."

Thomson says organisations should concern themselves with continuation of business at least as much as they think about the safety of their data and the hardware they have loaned an employee. Building multiple contact points for each client, effectively sharing internal data far and wide may, conversely, be the most effective solution.

Hardware and data jurisdiction

"Once the decision about letting someone go has been made, a collection date for assets should be set and when assets are collected, all data should be securely erased with an audit trail... before these assets are transferred to another user," Forslund said. "There should be zero risk for data leaks in between users in a situation like this."

Frequently, the distinction between corporate and personal hardware – and corporate and personal data – is blurred. BYOD can result in business-critical data residing on users' own devices, while personal emails may linger in a corporate inbox. Should employees be allowed to export their mailbox and take their contacts with them?

"Generally, no," said Forslund. "The personal emails must originate from some other service where access to emails should still exist and remain. If employees are allowed to export their inbox, all locally saved work emails will come along, which is not okay."

Shopp agrees. "Company email systems and the underlying data stored within belongs to the company, which makes it the company's discretion to allow the employee to extract any personal items such as contacts and emails before they leave."

It's therefore essential that guidelines for the acceptable use of email are written into staff members' contracts of employment, so that confusion – and conflict – can be avoided at the point of departure.

As Thomson points out, "when you employ people you're looking for certain things, which you're disdainful about when they leave. You expect them to come with contacts but don't want them to leave with any."

But contacts alone are less important than an established relationship once an organisation reaches a certain size.

"When we're working with our client companies, we apply an acid test: do your clients have a relationship with you or just one person in your company?" Thomson asked. "If it's the latter, when that individual moves the client is going to go wherever they go. As you grow – both your own company and a company you're dealing with externally – it's more about dealing organisation to organisation. We use Microsoft Dynamics as a CRM, but if our contact at Microsoft left that wouldn't change: we'd still be using Microsoft software. The bigger a company is, the less likelihood that the employee will be able to take business with them."

From a leadership point of view, then, and with succession planning in mind, only considering the risk to your data at the point an employee announces they're leaving is probably too late. Data can be used as an insurance by staff who feel their position to be under threat. By cultivating multiple touch points between your organisation and its clients, this policy will be less effective, and have a less detrimental effect in-house if it was ever deployed.

You're fired!

Special consideration needs to be given to staff leaving under a cloud, for whom you may wish to curtail access to mission-critical systems and sensitive data in short order.

In this case, SolarWinds' Security Event Manager "alerts you if someone is still trying to use an account once they've been locked out" said Shopp. "It gathers logs that can tell you why someone is trying to authenticate with the account that you've shut down. Is it an application that was installed while the person was still at the company, which you need to go in and shut down, or is somebody actually trying to do something that they shouldn't? Having visibility into that is something that every organisation should have."

As Thomson explained, though, each situation must be considered on its own merits. There's a wide choice of safeguards that companies can choose from, depending on their philosophy, size, and the kind of assets – both physical and data-based – they're dealing with. Key is understanding what staff have access to, and knowing what needs to be done as soon as it becomes clear their time with the business is drawing to a close. After all, the rate of staff turnover is unlikely to slow down any time soon, if ever.

Nik Rawlinson is a journalist with over 20 years of experience writing for and editing some of the UK’s biggest technology magazines. He spent seven years as editor of MacUser magazine and has written for titles as diverse as Good Housekeeping, Men's Fitness, and PC Pro.

Over the years Nik has written numerous reviews and guides for ITPro, particularly on Linux distros, Windows, and other operating systems. His expertise also includes best practices for cloud apps, communications systems, and migrating between software and services.