Comprehensive Guide to Securely Offboarding IT Employees

Departing IT personnel can present significant risks to an organization due to their elevated privileges and access to critical systems and data. A disgruntled employee could use access to cause damage, steal sensitive information, or misdirect funds. Additionally, "zombie" accounts—those no longer in use but still active—pose a serious security threat because cybercriminals can exploit them.  

Follow this guidance to safely offboard employees without leaving loose ends that cybercriminals could take advantage of. 

Audit and Remove Accounts 

IT personnel, particularly system administrators, often have multiple accounts for different purposes, such as testing patches and updates, managing systems globally, and conducting user-specific activities. Conduct a comprehensive audit to identify and remove departing employees’ accounts.  

Your audit should include external services and applications, as well as accounts with vendors that have access to your network. Immediately reset passwords for accounts that need to be maintained. Failing to remove or secure accounts gives ex-employees or malicious actors opportunities to re-enter your system. 

Revoke Financial Access

IT personnel may have access to financial systems, especially if they are involved in purchasing equipment or managing IT budgets. It's vital to revoke financial access credentials to prevent unauthorized transactions or data theft. Review all financial permissions, including the ability to make wire transfers, and ensure all access is promptly removed or transferred to a new responsible party. 

Restrict Physical Access 

Physical access to the organization's premises, including server rooms, data centers, and offices, should be restricted immediately when an employee leaves. This includes collecting keys and access cards, as well as biometric dongles and other devices that grant entry to sensitive areas and third-party sites. Update security systems to reflect these changes and prevent unauthorized physical access. 

Change Shared Passwords 

Shared credentials are common in IT environments. Examples include passwords for administrative accounts, system logins, and shared tools. When an employee leaves, immediately change shared credentials to make it more difficult for former employees to access systems. 

Forward Communications 

To ensure no critical communications are missed, redirect the departing employee's email and other communication channels to a designated staff member. This action also helps in monitoring unusual activity or attempts to access systems after the employee leaves. 

Conduct an Exit Interview 

Exit interviews with departing IT personnel can provide valuable insights into potential security gaps or issues observed during their tenure. Use this opportunity to ask departing employees about undocumented access or accounts they created, as well as concerns about the organization's IT security. 

Document Your Actions 

Document steps taken during the offboarding process. Include accounts removed, passwords changed, and access revoked. Regularly review and update your offboarding policies to incorporate new security measures and address weaknesses identified during the process. 

No Loose Ends

Departing IT personnel can present significant risks to an organization due to their elevated privileges and access to critical systems and data. Follow this guidance to safely offboard employees without leaving loose ends that cybercriminals could take advantage of. 

Ensure  all accounts are audited and removed, financial access is revoked, physical access is restricted, shared passwords are changed, communications are forwarded, and exit interviews are conducted. Regularly documenting and reviewing your offboarding process will further strengthen your cyber-defenses.