Although the departing employee exits through a single door of your organization, there is a myriad of potential digital-doors back into your company’s network.
If not properly offboarded, ex-employees can gain access to your organization’s data with the potential to do irreparable financial and reputational damage to your organization without detection. Take the story about the disgruntled ex-employee, Juan Rodriguez, who worked for Marriot. After his termination, Rodriquez remotely accessed the company’s systems after departing the organization. The disgruntled ex-employee allegedly changed the price range of 3,000 rooms from $159-$499 to $12-$59, resulting in the loss of more than $50,000. Could this situation have been avoided?
Below are some steps to take during an employee’s offboarding process to secure your organization, and close the door on ex-employees for good:
Step #1 Conduct a Post-Termination Access Audit
To secure your organization from ex-employees, you should first know what they had access to in your network. Phone, email, cloud applications, social media accounts, ordering systems, and vendor accounts should all be taken into consideration. Did this user share credentials with anyone inside your organization? What privileges did this user have? Depending on the size of your organization, you may want to collaborate with other departments to gain a bird’s eye view of the departing employee’s access to your company network.
Step #2 Disable and Monitor User Accounts
Before you delete a user account you should disable it. Disabling user accounts gives you the opportunity to monitor it for unusual activity and assess a plan moving forward for business continuity. During this period you can monitor user access to verify that nothing out of the ordinary took place before the termination. Cloud applications such as Salesforce, Office 365, Google Drive, and Box should be monitored due to the vast amount of company data stored within them. Below are activities to monitor for:
- Exporting activity – did the employee export and take data out the door prior to departure? (i.e., customer or prospect lists, financial information stored within Salesforce)
- Privileged users creating new accounts – look for the creation of new accounts or accounts associated with any service accounts. Privileged users can create a backdoor into your network and need monitoring at depth
- Login Activity – check for inappropriate login activity to check if users are still attempting to access any company systems
- Email – monitor access to email such as Office 365 in any regard post-termination to ensure that users don’t have backdoor access to company email. Monitor for transfer of any email between work and personal accounts.
Step #3 User Behavioral Analytics
If you detect inappropriate or unusual behavior inside your cloud applications during the monitoring process, you should use behavioral analytics to draw insights into the incidents. For example, if you discovered that Joel, Account Manager, usually accesses 200 accounts per day in Salesforce and he starts accessing over 400 accounts per day, you can dig into the analytics to assess what drove this behavior. Drawing insights from Joel’s past behavior, you see that this instance is an anomaly. You’re then able to confidently address the situation to gain back control of your data.
Step #4 Delete or Retain User Accounts
The last thing you want to do is delete user accounts that should have been retained – users may be the only point of access to a resource or account. Inactive accounts can cause your organization risk, but some accounts should never be deleted (for example, Active Directory Accounts should not be deleted). Security, IT, and HR should collaborate to establish a concrete set of policies for account deletion in order to securely delete accounts that create risk for your organization and keep the ones that need to be retained for security purposes.
Closing the Door with Security
Due to the nature of modern business, organizations are now a vast interconnected web where information is stored and transmitted between parties. Employees who have access to this information may eventually leave your organization, and when this happens it’s imperative that you have the proper security controls in place so that once they leave your network, they have no other way of getting back in.
Learn how to protect your organization with FairWarning for Cloud Security