Departing Employees Exit Your Building — But Have They Truly Left?

January 30, 2018 Marc Lalosh

Departing Employees Exit Your Building But have they truly left?

Although departing employees may exit through a single door of your organization, there is a myriad of potential digital-doors back into your company’s network.

If not properly offboarded, ex-employees can gain access to your organization’s data with the potential to do irreparable financial and reputational damage to your organization without detection. Take the story about the disgruntled ex-employee, Juan Rodriguez, who worked for Marriott. After his termination, Rodriguez remotely accessed the company’s systems after departing the organization. The disgruntled ex-employee allegedly changed the price range of 3,000 rooms from $159-$499 to $12-$59, resulting in the loss of more than $50,000. Could this situation have been avoided?

Below are some steps to take during an employee’s offboarding process to secure your organization, and close the door on ex-employees for good:

Step #1 Conduct a Post-Termination Access Audit

To secure your organization from ex-employees, you should first know what they had access to in your network. Phone, email, cloud applications, social media accounts, ordering systems, and vendor accounts should all be taken into consideration. Did this user share credentials with anyone inside your organization? What privileges did this user have? Depending on the size of your organization, you may want to collaborate with other departments to gain a bird’s eye view of the access any departing employees have in your company network.

Step #2 Disable and Monitor User Accounts

Before you delete a user account you should disable it. Disabling user accounts gives you the opportunity to monitor it for unusual activity and assess a plan moving forward for business continuity. During this period you can monitor user access to verify that nothing out of the ordinary took place before the termination. Cloud applications such as Salesforce, Office 365, Google Drive, and Box should be monitored due to the vast amount of company data stored within them. Below are activities to monitor for, whether for active or departing employees:

  • Exporting activity – did the employee export and take data out the door prior to departure? (i.e., customer or prospect lists, financial information stored within Salesforce)
  • Privileged users creating new accounts – look for the creation of new accounts or accounts associated with any service accounts. Privileged users can create a backdoor into your network and need monitoring at depth.
  • Login Activity – check for inappropriate login activity to check if users are still attempting to access any company systems.
  • Email – monitor access to email such as Office 365 in any regard post-termination to ensure that users don’t have backdoor access to company email. Monitor for transfer of any email between work and personal accounts.

Step #3 User Behavioral Analytics

If you detect inappropriate or unusual behavior inside your cloud applications during the monitoring process, you should use behavioral analytics to draw insights into the incidents. For example, if you discovered that Joel, Account Manager, usually accesses 200 accounts per day in Salesforce and he starts accessing over 400 accounts per day, you can dig into the analytics to assess what drove this behavior. Drawing insights from Joel’s past behavior, you see that this instance is an anomaly. You’re then able to confidently address the situation to gain back control of your data.

Step #4 Delete or Retain User Accounts

The last thing you want to do is delete user accounts that should have been retained – users may be the only point of access to a resource or account. Inactive accounts can cause your organization risk, but some accounts should never be deleted (for example, Active Directory Accounts should not be deleted). Security, IT, and HR should collaborate to establish a concrete set of policies for account deletion in order to securely delete accounts that create risk for your organization and keep the ones that need to be retained for security purposes.

Closing the Door with Security

Due to the nature of modern business, organizations are now a vast interconnected web where information is stored and transmitted between parties. Employees who have access to this information may eventually leave your organization, and when this happens it’s imperative that you have the proper security controls in place so that once they leave your network, they have no other way of getting back in.

Learn how to protect your organization from departing employees with FairWarning for Cloud Security

Previous Article
How Every Healthcare CISO Can Gain Time Back in their Day
How Every Healthcare CISO Can Gain Time Back in their Day

Healthcare systems continue to face increasing challenges to secure patient data. From a 1988.6% increase i...

Next Article
3 Must-Have Capabilities Organizations Should Have to Prevent Data Theft in the Cloud in 2018
3 Must-Have Capabilities Organizations Should Have to Prevent Data Theft in the Cloud in 2018

Imagine that your job is to protect the valuables of your organization. Let’s say a single container holds ...