Employees will come and go in any organisation, so it helps to have an up to date, effective employee exit IT security checklist to make sure that there are no gaps in your defences after they leave. This security checklist is in addition to the standard offboarding process.
When an employee leaves, here's a comprehensive list containing what you need to action in order to protect yours, and your clients’ data.
1. Protect access to sensitive and critical data
If the employee leaving has access to sensitive or critical information, it may well be best to instigate a chaperon to clear their desk and leave the premises. For some roles with elevated user access, even when the exit is amicable, the protection of business data is essential and an escort off the premised is advised.
2. Revoke all remote access
Immediately revoke access to all remote services associated with that employee. Remote desktop, VPN, voicemail, Cloud services and shared drives.
3. Revoke access to email
Immediately revoke access to all email addresses associated with that employee. They have left the company and should no longer have the ability to speak for it.
4. Set up auto-forward emails
To ensure that no important email goes unread in an inactive inbox, set up auto-forwarding and out-of-office replies as soon as the employee has left. For client communications, make sure that you clearly update them to specify who their new contact will be.
5. Take back company devices
That includes mobile phones, laptops, flash drives, printers, keyboards, headphones and other accessories. Any device issued to an employee by the company should be returned before they leave.
6. Revoke access to all systems
You should update any internal system the employee no longer needs access to at the end of their last day to ensure they no longer have access.
7. Ensure handover of online documents
It’s best practice to have employees store any online documents in a shared company folder that you keep control over, using business tools such as SharePoint or even OneDrive. If you haven’t implemented Cloud services yet and your employee stores their files in a separate folder, hard/external drive or on a personal computer, it’s imperative that you ensure everything is transferred and delete the originals from their devices.
8. Change all company-wide passwords
You should change any password shared with multiple members of staff when an employee leaves. It’s best practice to change all passwords regularly, and it’s imperative that password changes should take place on receipt of resignation dependant on the employee’s position. Don’t forget to check user privileges, to ensure they no longer have access to anything they shouldn’t have.
9. Change company card PINs
If the employee had use of company credit cards, be sure to change the PIN numbers.
10. Inform your IT security team
Ensure your security team know of all leavers in advance if possible, and asap once confirmed. Should the employee be leaving on bad terms, make sure that your IT team put in place any provisions should you suspect any trouble, or issues so they can take necessary precautions. It’s better to be safe than sorry.
11. Personal Social Media Accounts - Check the employees' online and social media presence
It’s always good practice to have an exit policy for any employees who have had access to your company social media accounts, marketing staff or managers for example. Ensure that passwords are changed on each account, and that any personal accounts that are linked or associated via a management platform are removed. Your business may have these and other social accounts that you’ll need to secure: Buffer, Google Business - as this service requires a Gmail login - LinkedIn business page, and Facebook for Business access. Have a Leavers Procedure in place to ensure these platforms are immediately protected. You may have utilised your employees’ personal social media accounts, to extend your brand presence on social media for example with company branded headers, or content broadcasting. If so, ensure that changing any social media corporate branding is also in your leavers policy. Should your employee leave on bad terms it may also be necessary to monitor their public accounts just in case there may be some slanderous content.
Make it a clean break
Whether the goodbye is amicable or not, you can’t be careless with your employee exit procedure. It’s best to cover all bases rather than miss something seemingly small and expose your company or social accounts to misuse, or a data breach. So put your Employee Exit IT Security policy in place, test it, enforce it. Ensure it's reviewed every quarter, just in case the world changes again – as it did in 2020 with Covid-19, or if new technologies and services are introduced and utilised, and it needs amending.
Follow this employee exit IT security checklist to ensure any employee exits are professional, swift, security focused, clean, and risk-free.
(This post is an updated version, first published on 3 December 2018, updated 6 February 2020 and 10 December 2021)