6 best practices for ensuring offboarding cybersecurity

1. Insist on a seat at the table

Security decisions should not only be made by the employees in charge of implementing and overseeing computer systems and networks. HR leaders should contribute to decisions about employees' and contractors' physical and electronic access to company systems, and HR should have decision-making power over IT and security topics at the highest levels.

Ideally, an HR representative would serve on the company's IT and security governance or risk committee.

2. Begin cybersecurity best practices during the onboarding process

An effective offboarding process begins during onboarding. Simply hiring a trustworthy person is of course important, but HR staff must also set clear security expectations with the new employee or contractor and receive the employee or contractor's sign-off on those policies. Staff will likely take security policies more seriously if they're required to sign off on them.

HR staff should also remind employees periodically about cybersecurity expectations and think of creative ways to discuss them. Staff meetings and funny videos are two potential approaches, and almost anything is better than simply handing employees a copy of the employee handbook and failing to follow up.

HR staff should also make sure employees understand the ramifications of corporate security policy violations, and if employees violate those policies, consequences must follow. If management treats security policies and protocols as afterthoughts, employees will follow suit.

3. Disable user accounts for company systems

Employees can easily abuse computer, network and application user accounts after leaving the company if HR doesn't work with IT to make sure IT has disabled those user accounts. Account removal is also an option if doing so is legally sound or otherwise necessary. HR confirming that IT has completed these tasks can serve as a good backup.

This work should begin before any employee departure. HR and IT should create an inventory of all employees' systems access to make the process of removing these permissions as easy as possible.

4. Collect company property

Gathering devices and other hardware from employees is critical to avoid an employee keeping sensitive information or access. HR and IT should work together to confirm that the departing employee has returned all company property.

This property ranges from the obvious, such as laptops, tablets and phones, to other equipment like door badges, tokens or dongles used for system access, and USB drives. HR and IT should also consider retrieving hand-written notes and any other pertinent documentation that may contain intellectual property or customer information.

If employees or contractors use their own computers, tablets and phones, a review of those systems may be necessary. HR staff can also get more information about the employee's company equipment from the employee's manager.

5. Work with the legal department on terms and conditions

HR leaders should work with legal counsel to determine how to monitor and enforce terms and conditions of employment, including confidentiality agreements, after the employee's departure.

Terms and conditions still apply after the employee leaves, so HR staff must confirm that the employee fully understands this. HR should also discuss agreement violations and how to handle them with the legal department.

6. Notify company partners and customers

HR staff should determine who will alert company partners and customers that the employee is no longer with the organization.

Notifying partners and customers about the employee's departure is courteous and can also put them on alert for any nefarious behavior from that employee, especially if the worker left on bad terms.