Does your small business deactivate employee accounts after separation? Is this done promptly upon separation? A recent survey by PasswordManager.com finds that 47% of former employees still access their former accounts. Maybe more frighteningly is the survey also finds that 10% of former employees access these accounts to be malicious. Just as you onboard employees with new accounts, it is equally important to offboard employees as they leave your small business. This should be done with very few to no exceptions. Even if the employee leaves on good terms, removing access promptly upon separation is critical.
Onboarding your employees
When you hire a new employee or deploy a new business system, you onboard your employees and get them the access they need to perform their jobs. During this process, it is important to make sure that you aren’t granting too much access. Best practice is to grant the minimum amount of access needed to perform their daily job duties.
Offboarding your employees
Similarly to onboarding, having a plan in place to remove access from former employees is critical to protecting your business data and systems.
Removing access and how promptly it is removed is usually decided prior to the employee leaving. For example, if the employee leaves on good terms and is working their regular shift to the end of the work day or close to it, you would consider removing access on their last day at the end of the business day. There is a caveat though, which is the level of access they have and how mission critical it is. The more important the access, the more important it is to transition that access earlier.
Now if an employee is leaving on less than desired terms or is a disgruntled soon to be former employee, it might be worth considering removing access even prior to their final day of employment. This can help reduce the chances of a malicious disruption on their behalf.
What you can do
Offboarding has many tasks that occur, so have a business policy for data and system access. This will provide clarity for employees and provide instructions for those who need to remove the access. So remember to deactivate your employee accounts when they become former employees!
To learn more about current cyber threats to your small business, steps you can take to protect your business, or to learn more on cybersecurity, check out Small Business, Big Threat!