IT Employment

10 ways to protect your company from employee transition risks

Employment transition is an often overlooked danger to company security. Make sure you have policies and procedures in place that will protect your business from security compromises when someone leaves your company.

Employment transition is an often overlooked danger to company security. Make sure you have policies and procedures in place that will protect your business from security compromises when someone leaves your company.


The day a decision is made to transition an employee out of a company -- whether it is the employee or the employer who makes that decision -- is the wrong time to develop and apply security policy related to employment transition. Such policies should be planned and implemented long before that day comes. Being unprepared could result in security breaches, as well as resentment on the part of both former and current employees. Disgruntled employees create the very internal security problems against which you should protect your organization.

The following is a list of categories of security policy related to employment transitions. Some categories may overlap in certain areas, but each has its own, irreplaceable importance to overall policy effectiveness.

Note: This article originally appeared as an entry in our IT Security blog and is available as a PDF download.

1: Access controls

Biometric data, keycards, keys, parking or gate passes, and other physical access controls should be tracked and managed carefully. Many security precautions such as firewalls, deactivated remote access accounts, and strong password policy can be circumvented at times simply by walking up to a physical computer and doing things the "hard" way. Such items should be managed as carefully as possible without disrupting the work of employees, so that the items are more easily recovered, deactivated, and/or replaced if and when the time comes. In extreme cases, locks may need to be changed and new keys reissued, but in many cases a well-managed system should allow most access control measures for a given employee to be simply deactivated with a few keypresses or mouse clicks.

2: Accounts

Employee accounts must be carefully documented and centrally manageable as much as possible to ensure they can be secured once an employee transitions out of the company. When central management is not easily achieved, documentation becomes even more critical. Accounts that require special care include (but are not limited to) company credit cards, network logons, remote access accounts, server administration accounts, voicemail accounts, and workstation user accounts.

When an employee leaves the company, such accounts for the employee should all be deactivated as quickly as possible.

Don't forget that restoring from backups made before the employee's departure may restore that employee's remote access, user, and administrative accounts. Be sure you have policy in place to resolve such potential security issues in the event of disaster recovery operations.

3: Debriefing

Whenever possible, conduct detailed exit interviews with employees. Among the things you should want to know about are the employee's complaints about the company so you may improve things in the future, current work status, and encrypted file access. Don't let your ego stand in the way of improving conditions after a disgruntled employee leaves or of gaining important insights into what kind of mess you may have to deal with when it comes to a departing employee's current work in progress. Such information may be quite important to ensuring future security or recovering important work from secured files.

4: Documentation

In most cases, company policy should ideally require detailed ongoing documentation of employees' work on projects from day one of employment. This not only ensures easier transition of projects to other (perhaps new) employees and recovery of important data but also provides a sort of automatic audit trail for something the employee may later decide to maliciously alter if he or she becomes dissatisfied with work conditions. Such documentation should be logged to a central, version control tracked, regularly backed up resource. It may seem unintuitive at first, but Web-based collaboration tools such as MediaWiki can actually serve these needs on some organizations' intranets.

Business documentation should be secured in other ways, as well -- such as by granular, need-dependent access authorization, so that outgoing employees may not easily engage in last-minute corporate espionage. If your documentation contains trade secrets, no employee should have automatic access to all documentation. Access should be limited to the documentation an employee needs and properly secured against unauthorized access.

5: Inventory

Detailed, regularly updated (preferably in real-time ) inventories of office and employee assigned resources should be maintained for many reasons. One of the most important is so that you know what still needs to be recovered from an employee's possession when he or she leaves the company. Maintaining careful inventories up front will help produce clear checklists down the line when they are needed, so start implementing your inventory policy sooner rather than later.

6: Lockdown

Various levels of physical, file, and account access lockdown should be set up to be quickly and easily enacted in the event that an employee leaves the company or is under suspicion of malicious activity. While this is in some respects just a reiteration of a key point of other categories of employment transition security policy, it deserves its own discrete mention because a clear, comprehensive, and well-managed policy for lockdown procedures should always be carefully planned and implemented to ensure there are no oversights when the time comes to act on that policy.

7: Logging

Good logging procedures are key to tracking security compromise incidents and shaping incident response. This applies to employment transitions as much as it does to protecting your network against less personal threats from the Internet. Good logging procedures implemented today can ensure that when you have to lay off an employee tomorrow or lose one to a competitor, you will be able to track any suspect activity prior to the employee's departure as well as intrusions by a former employee after the fact.

Passive logging servers -- servers that "listen in" on network traffic and log data intended for the server without specifically identifying that particular server as the logged data's destination -- can be key to such precautions. Even in the absence of such resources, however, active and direct logging to systems outside the authorized access responsibilities of a given employee can help ensure a clean, secure record of any illicit activity.

8: Passwords

Policy should require that access codes, passwords, and similar measures will all be reset to a temporary value that a departing employee would have no way of knowing until the accounts can be deactivated or even deleted entirely. It is for this reason, among others, that measures such as using personalized administrative accounts should be taken long before an employee leaves the company -- so that a single employee leaving will not require that the entire IT department has to learn a new set of admin passwords. Careful records should be kept of what accounts are supposed to exist on all company IT resources, so that unauthorized accounts can be quickly identified and dealt with and so that previously authorized but newly obsolete accounts can be shut down and passwords changed as needed without fear of overlooking something.

In many cases, it may even be desirable to change passwords on accounts to which the departing employee was not supposed to have access. After all, employees sometimes share account passwords, store them on sticky notes affixed to their monitors, or keep them tucked under keyboards or in desk drawers, despite the best efforts of the IT department to disallow such practices and enforce strong password policies.

Don't make the mistake of resetting passwords to some default or easily guessed value (such as "1234″), either. Changing passwords when an employee departs doesn't help much if the "new" passwords are either widely known defaults or subject to brute-force cracking in a matter of seconds.

9: Personal electronics

Clear security policy with regard to personal electronics is often important to security. If the company deals in trade secrets, such electronic gear as cameras, USB flash media devices, and personal laptops may need to be carefully controlled or even disallowed. Disallowing cameras is becoming increasingly difficult with the ubiquity of cameras integrated into cellphones, and flash storage media may be difficult to regulate with the growing ubiquity of portable MP3 players. But that does not necessarily mean you should throw your hands up in frustration and ignore the potential problems. Leaving such matters unaddressed may lead to security compromise in the wake of an employment transition, such as in the case of an employee that has taken advantage of lax policies to copy sensitive documents and keep the copies stored offsite.

10: Privacy

Provide employees with clearly marked and limited private resources, such as a private directory each employee may use to store personal notes that are not specific to work project data. Doing so will ensure that personal data does not get mixed with company data, making it easier to clean out unnecessary data after an employee has departed and provide final personal data recovery access to an employee (such as to-do lists that may include personal matters). Whether such data will be backed up is, of course, up to the company, but employees should generally not rely on the company to provide backups of private data that is not directly related to the business.

Make sure that the company has a clearly articulated privacy policy. You will probably want to check data in an employee's private directory when that employee is terminated before providing access so he or she can recover personal notes -- and to be certain there are no hard feelings, the employee should know that any data on company drives is subject to review in the event of termination as a matter of standard procedure. A lot of the potential for attempts to compromise security because of resentment can be avoided by making it quite clear that there's nothing personal in company privacy policy.

Preparation and incident action

Policy for handling an incidence of employment transition -- whether someone is being fired, leaving in (self-)righteous fury, retiring after 40 years, being laid off in tough economic times, moving on to a career development opportunity at another company, freeing up time for school or other projects outside the company, starting his or her own business, or leaving for some other reason entirely -- is important not only for business continuity, but also security against potential intrusions. Policies that at first glance may not be directly related to employment transition, that need to be enacted from day one of employment for maximum positive effect, are also important for the same reasons. They may mean the difference between smooth transition and a bureaucratic, security-ineffective nightmare. Begin your policy development and implementation now. You'll be grateful for it later.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

8 comments
famigorena
famigorena

A weird fact about desactivating or deleting Windows accounts: Imagine for example that an employee (let us call him Jack) is fired and knows that his dismissal is coming. Jack is logged on at 04:00 pm and at 04:05 pm a System Administrator disables and/or deletes his account. Guess what happens? Jack is still logged on to that workstation and maybe connected to some servers. All he has to do is unlock that workstation, and typically workstations do not go and check unlock requests with the domain controller. So Jack is still going to be there on that computer, even though his account has been disabled and deleted ? In order to fill this gap in Windows, you should give a look to UserLock (http://www.userlock.com), a 3rd-party software solution that allows sysadmins (among other sessions control features) to remotely lock, unlock, logoff and reset all sessions.

nnewell
nnewell

I would have to agree with all of this and we would always recommend that there is a policy in place within the company to deal with leavers and ex employees. As a consultant to companies on preparing themselves for disaster and ensuring continuity of operation this is one area i have seen many companies fail to address adequately and this can and does compromise the business regards Norman

networkguyinsavannah
networkguyinsavannah

Walking people off the property upon resignations is not only rude, but is a sure sign of an employer's inability to accept "loss" except on their terms! If it was resignation in lieu of firing or firing, I would say ok, yes, do it. But if a person gives advance notice, is on good terms, and/or is leaving to better themselves, then let them work. My last employer's action of suddenly treating me as a "traitor" just because I got a job with a 10K raise left a very bad taste in my mouth. That taste came out when he called me three days after the fact and wanted to know X, Y, and Z. I politely told him that since "I was no longer a valued employee" ( His terms when I submitted my letter of resignation ), any knowledge would be forthcoming only upon hiring me as a consultant...fees paid up front.

dean.owen
dean.owen

This is a good list of best practices which has been around for decades in one form or another. Many companies - large and small - don't follow them because they don't have the resources (people, time and/or money), awareness that these are issues until it's too late, find them inconvenient. Sometimes the simple solutions are best . . . like filling the USB ports on company computers with epoxy.

cynic 53
cynic 53

All these 10 measures are fine in their own way but if an employee is either being fired, made redundant owing to changes in the employer's activities or because of the economic downturn then why make them stay and work out their notice as if they do wish to get their own back, this is the prime time for them to do so? Instead take the loss of paying them 4 weeks wages for no work for the 4 weeks or so and let them go straight away that very day. Not only can they not then commit any sabotage (if they are so minded) but they will probably welcome being paid to the end of that month but no longer having to work at a place where they were unhappy and no longer welcome. It will either be a few weeks additional paid holiday for them or a nice bit of extra money if they can get another job straight away. To my mind making someone work out their notice is a Victorian concept and any work one does get is likely to be sub-standard as their heart will not be in it, even if they do not intentionally mess things up. Certainly as they are being told that they are no longer required or as they hand your their resignation if they are leaving of their own free will and accord then lock out their Computer Access etc. However get shot of them asap. I also feel that asking people to attend a leaving interview is a waste of time for both parties and can lead to a lot of heat but little light being produced.

Too Old For IT
Too Old For IT

Someone tried that a couple of engagements ago. Suddenly, no one could plug in a keyboard, mouse, VPN key, dongle for the REALLY expensive software. That paranoid security wanna-be was escorted from the building. Epoxy in the USB ports is just plain childish. Treating employees with trust and respect is not. Even if someone is coasting toward retirement, not really contributing, you can treat him or her with respect. Heck, maybe even keep them around in honor of their past contributions, or because it is the "right thing to do" from a societal standpoint in rough economic times.

Kam Guerra
Kam Guerra

Why not treat employees respectfully before, during, and after the transition process. Wait - that actually requires effort on the company's behalf. Never mind.

Too Old For IT
Too Old For IT

Unless someone is being fired for malfeasance, you very likely will run across this person again. You may have an upturn in business that would bring him back, perhaps a project he can work on as a contractor. More likely, you may be bidding a project at another company, and there he is on the review committee. And you walked him out the door because your bean counters said his salary was needed for the CEO bonus that year. Or to pay the electric, whatever. I suppose one could make an argument that "it was just business" and he should turn the other cheek. But let's face it: Most business loyalty, ethics, principles and values are (in the 21st Century) on a good day merely fetid, and on a bad day altogether putrid. Why add to it with a surly dismissal?