Former employees: Gone but (passwords) not forgotten
Contributed Article: by Joe Siegrist, Founder and CEO of LastPass
Security is a buzzword right now – from cyber security to password security, it’s got everyone talking. When it comes to employees and passwords, IT departments try to take all the necessary precautions to ensure the business is secure. But what happens when an employee leaves a company? What security risks should businesses be aware of after an employee leaves (either voluntarily or otherwise)? Taking action following a change in staff is important for every company, but small and micro businesses may need more help. Many smaller businesses rely heavily on technology but aren’t big enough to support full time IT employees or departments, so may not know best practices for computer and data security.
While it’s best if your company has security processes in place before an employee leaves, in the event that they aren’t implemented, there are a few steps the company should immediately take.
- Deactivate the employee’s computer and accounts. Ideally, this should be done immediately upon termination. Change passwords for accounts they had access to, including conference lines and building codes. If you wait too long to do this, the ex-employee may have time to access company information to destroy, compromise, or steal from a remote site – even if their computer and other company devices have been confiscated prior to their departure.
- Collect all company devices, including computers, cellphones, tablets, security cards, credit cards, company manuals, and any other sensitive material or anything that provides access to that information. Preferably, this should be done before the employee leaves the office for the last time. The longer it takes you to deactivate accounts and computers, the more time an employee has to alter information (like file creation dates), completely delete files (evidence of misconduct or theft), or commit fraudulent acts (entering new data, loading new software, moving data). For the safety of your employees, it may also be advisable to change the locks and security access codes.
- Debrief the employee on confidentiality. If the employee signed a non-disclosure, non-compete, or non-solicitation agreement, review the document to make sure the employee is clear on their obligation not to reveal information on the company. Now that you’ve taken care of the immediate needs of securing your company’s information, you can focus on implementing some security structures that will not only better protect your business, but will also make your life easier the next time an employee leaves.
- You need better control of your passwords. How many passwords do you have between your personal and work life? My guess is that it’s more than you even realize, and ideally each of those accounts should have a strong, unique password. Unfortunately, that is too much for most people to remember and we end up writing our passwords on sticky notes or Word documents saved on the computer. This is a habit you and your employees need to break. Keep your passwords somewhere where you, and only you, know where they are and have access to – a password manager, an encrypted file, or a similar system that works for you. Make sure it is a place you can store unique passwords for each account and keep track of them. Now that all your passwords are in one, safe location, shred those Post-Its or delete the unsecured Word document. Finally, if you haven’t already don’t so, go through your accounts and make a unique password for each of them.
- You need better passwords. Speaking of passwords, they should be stronger. Hackers use computer systems that are able to recognize the “tricks” humans are likely to use to try to make better passwords. Use a complex combination of capital and lowercase letters, numbers, symbols, and if possible, stay away from dictionary words. Using a password generator that creates random, long passwords is the ideal solution.
- Your password isn’t safe if you give it away. Although account sharing can be convenient, it’s not worth the risks. It makes the company more vulnerable to attack since accounts are accessible by multiple employees (who may or may not have clearance to the information they are accessing). In general, it is important to know who has access to what information, when, and from where. If something unfortunate happens to the company, like theft or leaked information, there will be no way of telling which employee is responsible. If you give out the password to the wrong person and they cause damage – physical or reputation – you may be liable, which leads me to my next point.
- Maintain information on employee access and perform frequent audits. Set up a system that requires employees to use unique passwords to gain access to their accounts and information – ones that make it difficult to share password information. Access rights vary because of different security levels, job descriptions, and locations across the network. Maintain a secure database that keeps track of each employee’s access level, what they have access to, and passwords associated with that access. When an employee leaves, use this to create a checklist that their supervisor can use to disable their access rights, and limit their error in doing so. Perform audits on accounts and enforce a strong password policy that requires that they are changed frequently. And remember, threats don’t always come from the outside – there can be intentional theft, lost or stolen devices, or accidental exposure. The more you are aware of what information is where and who has access to it, the more equipped you will be to handle a disaster.
- Separate personal and financial data. Implement network segmentation to restrict inter-systems access. Set permissions within your network so that employees only have access to information as needed to do their job.
- Last but not least, educate your employees. Develop an effective educational system that informs employees about the dangers of password and account sharing. Explain why security is important and essential to the functions of the company, and how they can contribute to the security through their everyday actions.
Though there is an upfront investment in taking the time and effort to put better security measures in place, the return on investment is massive when mitigating the likelihood of incidents with departing employees, which can cause untold damage to company assets and reputation.