How HR Teams Can Minimize The Risks Of Cybersecurity Threats

4 tips to secure onboarding and offboarding processes

Cybersecurity threats are a significant concern for businesses across the board, especially those currently supporting remote workers due to the coronavirus pandemic. Amid uncertainty across the country, attackers have been doing their best to capitalize on businesses that may not be prepared. While there are always uncontrollable risks from the outside, there are also plenty of risks generated from within an organization itself. One of the highest risks is the actual employees themselves. If not onboarded and offboarded correctly, employees that leave an organization can expose a business to tremendous threats, including data leaks. 
 

Onboarding and Offboarding – A Crucial Security Function

The Human Resource (HR) department plays a critical role in ensuring that employees are onboarded and offboarded properly. Usually, much of this work occurs during communication between the employee and the HR department. Still, external communication between departments is necessary, which is typically where the first security threat occurs. For instance, if access is not securely set up for new employees or revoked immediately for exiting employees, there may be holes where data can be lost. 
 
While the onboarding process is an exciting time that helps acclimate an employee to the organization's corporate culture, team, and procedures, the offboarding process is equally important. An offboarding checklist guides the employee when they leave the organization. Proper offboarding should include all the steps needed to ensure both the employee and the organization have a successful parting of ways, while also protecting valuable data from being exfiltrated or leaked.  

Proper Offboarding - Essential for Cybersecurity

While the HR process may not be at the top of an IT team's list of security priorities, it is an essential part of an organization's overall cybersecurity practices. Improperly offboarding employees who have access to business-critical data can lead to a wide array of data security issues, including:
 

• Data loss – Data may be deleted or intentionally destroyed by a former employee.
• Data leak – Sensitive, business-critical data can be accidentally or deliberately leaked by a former employee who was not offboarded correctly.
• Compliance and regulatory violations – Employees who are not appropriately offboarded and who are involved with a data breach can leave your organization exposed to further complications.
• Tarnished business reputation – Lost customer confidence and tarnished business reputation can have an untold fiscal impact on your business.
• Wasted spend – Employees who are not offboarded correctly may leave the organization wasting spend on unnecessary cloud accounts and other resources that could have been repurposed or discontinued altogether.

 
Experiencing any of the above results of improper employee offboarding can be disastrous to a business. 

Offboarding Processes to Ensure Data Security

What are the vital offboarding processes that are directly related to the security of an organization? 
 
1. Revoking employee access to company accounts – Most organizations utilize a host of different online tools, services, products, and solutions. Employees gain access to a variety of these systems when they join an organization. A crucial step in the offboarding process is revoking the employee's credentials to all company accounts. This helps protect data from any actions, inadvertent or malicious, by the former employee. Data stolen from employees can damage the business or lead to a leak of sensitive information. 
 
HR will generally work closely with the Information Technology (IT) department to coordinate the termination of access to company accounts. The employee's access may be terminated after their last day of employment; however, this may vary depending on an organization's offboarding and security policies.  
 
2. Reclaiming assets – Most employees that have spent any time with an organization will have various company assets in their possession. At a very minimum, this may include a company-issued laptop and a mobile device such as a cellphone (but can include external storage devices, keys, fobs, and much more). Technology devices such as laptops and cell phones will most likely contain business data that could be business-critical, sensitive, or both.
 
Many HR departments will have a "checklist" of sorts to ensure company assets are returned before the employee makes their exit.  
 
3. Migrating business-critical data – One area that is often missed by organizations is the accounts and data associated with public cloud SaaS environments. The exiting employee may have played a role in specific business processes or have other essential data linked to their cloud account. Often, organizations continue to pay for former employee's accounts because it's easier to keep paying for the license than to migrate any linked data.
 
While this may be sustainable after one or two employees leave, the costs begin to add up over time as employees come and go. Organizations can find themselves paying for dozens, if not more, unused accounts to maintain access to the account data. A third-party tool can help to migrate data between an existing cloud SaaS account to another user account in the cloud. This allows organizations to reclaim the spend on any unused accounts that may exist in the organization. It also helps to consolidate and organize business-critical data effectively and efficiently.
 
4. Protecting against data exfiltration – What is data exfiltration? Data exfiltration is also known as "data theft" or the stealing of data from your organization. This could be intellectual property, clients, valuable contacts, or documents the employee may want to take with them to use for their benefit or the benefit of their new employer. Aside from merely stealing your organization's data to be used unscrupulously, data exfiltration can potentially lead to an all-out data leak. Data leak is arguably one of the costliest cybersecurity risks that can affect your business. 
 
In addition to the costs of a data breach, there can be compliance and regulatory fines, and other financial consequences levied against an organization if found in violation. The General Data Protection Regulation (GDPR) can levy fines up to 20 million euros or 4% of the total global turnover of severe breaches. The financial consequences to an organization for an all-out data leak or compliance violation are certainly not insignificant. 
 
Unfortunately, in many cases, an employee that sets out to exfiltrate data to use elsewhere will begin doing this before announcing their intent to leave. This makes it difficult and unlikely that traditional HR processes for offboarding can effectively eliminate these types of risks simply by reclaiming business assets from the employee.  
 
Many tools can help secure the process and procedures when offboarding an employee to prevent this data exfiltration. By leveraging these existing tech solutions and sticking to a straightforward step-by-step process, HR teams can minimize the risks associated with transitioning employees into and out of their company. 

Dmitry Dontov is the CEO of Spin Technology. Connect Dmitry Dontov Follow @spintechinc