When an employee leaves a company, what usually gets handled is the final pay and the handover of work. What often gets forgotten, though, is their access to company systems. And that is exactly where a quiet but serious security hole appears.

Why it is a risk

A former employee who keeps their access can (even months later) reach company mail, data, the cloud or invoices. At best it is just a mess, at worst a data leak, damage or a data protection problem. And it does not have to be malicious; it is enough for their account to be hacked.

What to handle on departure

It pays to have a simple list so nothing gets forgotten:

  • Disable or forward the email account; the company keeps the address.
  • Revoke access to all systems: cloud, shared drives, accounting, VPN, internal apps.
  • Change shared passwords that the person knew.
  • Recover company devices (laptop, phone) and deal with the data that was on them.
  • Remove administrator rights and transfer ownership of important accounts and files to someone else.
  • Revoke physical access: keys, chips, access cards.

Why it gets forgotten

In small companies there is often no process and access is handled “somehow”. Accounts then stay active for months, sometimes years. Another problem is shared logins (one password for several people), where after a departure you cannot revoke access for just one person.

The principle of least privilege

The best protection starts long before the departure. The principle of least privilege means that everyone has access only to what they really need for their work, and nothing extra. When an employee did not have access to dozens of systems, there is far less to revoke on departure and the risk is lower. So review accesses regularly and take them away, not just add them.

Timing on an involuntary departure

With a dismissal (especially an involuntary one), timing matters. Access is ideally revoked at the same moment the person learns of the termination, not a few days later. Otherwise there is a risk that, in anger, they download data or delete something. So coordinate revoking the accounts and the announcement with HR so they go hand in hand.

The risk of an insider leak

The biggest damage is done not by outside hackers but by people on the inside (insiders). A departing employee can take away the client database, price lists or source data. It does not have to be malice; sometimes they “just” take contacts they consider their own. So watch for unusual data downloads before a departure and have signed rules on handling company data.

How to prevent it

  • Everyone has their own account. No shared logins, so access can be revoked individually at any time.
  • Know who has access to what. A simple list of accounts and systems is enough.
  • Keep a “departure” task list that you go through on every leave.
  • Two-factor authentication and order in access overall also help.

Want your company’s access under control, so that an employee leaving is not a security risk? Get in touch and we will help set it up clearly and securely.