IT Off Boarding: Building an IT Action Plan for Workforce Reduction

When an employee leaves the company, a certain process must be taken to decommission them as an employee. Workforce reduction and offboarding is something that HR usually handles the majority of. Exit interviews, severance packages, and necessary organizational changes are all on the human resources side of things. However, in this day and age, the IT department is also part of the offboarding process. Employees are so hooked into the company data, often with personal accounts and authorized access, that they must be digitally disentangled from the company before they can safely leave.

Whether a person has been let go or is departing for another job, IT needs to walk through certain steps when the workforce is reduced. Each person who leaves the company must be removed from the system, their equipment returned and wiped, and their projects transferred to the team or supervisor they have been working with. 

IT Responsibility During Offboarding

Employees leaving the company means company data and access to company systems may be at risk. In a best-case scenario, employees leave under positive conditions and work with you to offboard themselves from the system. In a worst-case scenario, someone is asked to leave and might take retribution if allowed even one extra hour’s access to the company network and digital resources.

Companies must consult with their IT department to build an action plan in place both for damage-control off boarding and for collaborative off boarding.

The Basic Concerns of Safe IT Offboarding

  • Mischief and Retribution
  • Accidental Post-Employment Exposure
  • Legacy-Permission-Based Security Gaps

Make sure your action plan covers all your bases. The top three concerns for IT offboarding are mischief, accidental exposure, and legacy permissions. When an employee leaves against their will, you will need to take damage-control steps against mischief and retribution, cutting them off from company resources before damage can be done.

Ex-employees who still have access to company resources, say, on their phones could accidentally allow a breach if the phone falls into the wrong hands. Lastly, having an account that still has file permissions is leaving a loophole open for account-spoofing hackers.

Courtesy in the Face of Security

  • Access to Work Email – Limited to Internal Communications
  • Retrieval of Personal Files
  • Helping Coworkers Transition

For employees leaving on their own plans, you can take a different path. Assist the ex-team-member in transitioning their files and closing out their company email, while making sure there are no security gaps left behind when the process is through.

IT Action Plan When an Employee Leaves the Company

Assign an Exit Transition Rep

Choose one member of the IT team to interface with the employee, if necessary. In most cases, offboarding will be fast, smooth, with minimal messages. But sometimes things need to be handled personally. Having a different IT member answer each question or problem is a recipe for miscommunication and mess. Instead, assign an exit transit rep, one admin or IT department member to handle all communications and any guided transition for each employee who leaves the company

Determine the Risk Level

As we’ve discussed, there are two paths for digitally offboarding an employee. Someone leaving in friendly conditions can be helped to transition their files and authorizations to their team or supervisor, or successor, as they go. Someone who must be prevented from mischief or retribution on the way out needs to be blocked from this course immediately by cutting off their access to company resources and messaging before or at the same time as they are released from employment.

High Risk – Take Steps, Then Notify

If an employee might be considered a security risk on departure, HR needs to let you prepare for this maneuver ahead of time. Ideally, you will be able to coordinate closing access to accounts, data, and equipment with the employee’s exit from the workplace. This way, the employee can close their employment cleanly and without the risk of a security breach.

Low Risk – Notify and Work Together on Transition

For employees who take part in their exit and transition plan, build a protocol to assist in the closure.  Let the employee know during their last two weeks what steps they can take to hand over their files, data, projects, and equipment. This way, you’ll have everything ready to close accounts and change the passwords on their last day.

Group of people working in a modern board room with augmented reality interface, all objects in the scene are 3D
Group of people working in a modern board room with augmented reality interface, all objects in the scene are 3D

Protect Access to Company Data

  • Change All Company Passwords and PINs
  • Remove Employee from All Files and Work Groups
  • Remove Employee Cloud Access
  • Cancel Access to Company Accounts
  • Disable Employee Personal Device Authorization

Employees have exclusive access to files, data, platforms, group projects, and company resources. They may also have access to or control key company accounts. It is essential that every ex-employee be completely scrubbed from data access through all relevant vectors when working with workforce reduction.

Start by changing all the passwords. It’s best to change passwords company-wide with the assumption that the employee could have gained access to additional or non-essential codes. Change the PINs as well.

If you control data access through account authorization, de-authorize the ex-employee’s accounts from everything. Do not leave a hanging permission for an unused account, as this can be dangerous. Make sure all dormant or canceled employee accounts have no permissions or authorizations. If the employee has a company account or personal email access to your cloud platform or third-party services, remove them for workforce reduction.

Lastly, make sure this ex-employee’s personal devices are no longer authorized to access the company network or software. At the same time, make sure they’re removed from alerts and messages once they’re out of the workplace.

Considerations for Inaccessible Backups

Some employees will have local backups of company information on their personal devices. This is usually active or references material like project work-product or paperwork that’s been managed recently. However, Git backups tend to be more complete. Consider your plans for dealing with backups that you cannot access, retrieve, or delete when dealing with workforce reduction. There is not currently a best-practice for this but your company should be aware of the possibility.

Close Out the Employee Email Address

Low Risk

  • Limit Company Email Address to Internal-Only Messaging
  • Set Up Appropriate Email Forwarding
  • Enable Final Document and Project Transitions
  • Replace Employee in Email Lists
  • Disable Employee Email Address

High Risk

  • Disable Employee Email Immediately
  • Replace Employee in Email Lists
  • Forward Inbox to Company Alternate

When the employee is done with the role, make sure their email address is deleted or permanently deactivated. This is a multi-step process that must be done with low-risk vs high-risk considerations. In both cases, you will need to redirect emails to new employees or to the ex-employee’s personal account. In both cases, you will need to replace the ex-employee’s email in any mailing lists and subscriptions for the company. You will also want to set up an “away message” and redirect service for incoming messages.

In a low-risk situation, work with your employee to transition their email incoming and outgoing. In a high-risk situation, cut off email immediately so that no false or unpleasant messages are sent in response.

Retrieve Company Devices

  • Arrange for the Return of Company Devices
  • Backup Work Data
  • Wipe Clean all Devices

If the employee has been using company-provided devices, IT is responsible for recommissioning them. You might also be responsible for retrieval. In a low-risk situation, advise the employee to remove and save their personal files and to get their projects ready to hand-off to a coworker. Then arrange the return of the devices. In a high-risk situation, try to reclaim the devices on the same day or slightly before the employee exits the workplace.

When you have the devices, back up any important information for transition and then wipe each device back to factory settings. They can be repurposed from there.

Correctly Transition Employee Data

  • Only Keep Relevant Data
  • Prevent Malware Transmission
  • Prevent Saving Duplicates
  • Sort Employee Data Back Into Shared Resources
  • Make Data Available to Supervisor and/or Team

Now you need to work with the employee data. Do not simply hand the saved hard drive to the ex-employee’s supervisor. This can result in inefficient data referencing as “G’s old Drive” becomes a ghost-location for files.

Instead, sort and reassign all data within. Start by making sure no potentially infected files made it through the previous clean sweep. Then grab only relevant data, avoiding saving Git backups of duplicate data. Transfer the employee’s sorted data into the correct channels of public resources, group projects, or files that go to their supervisor. Make sure the ex-employee’s supervisor and team can access anything they need of the ex-employee’s files.

Craft Your Action Plan for the Company IT Infrastructure

IT off boarding and workforce reduction is more demanding than ever, and exceedingly necessary with data breaches in the spotlight. By having an IT action plan for workforce reduction, you ensure that each time an employee leaves your company, they don’t leave with mischief or security breaches in their wake. For more insights into optimizing your IT security and strategies, contact us today!