When HR leaders think about onboarding, they likely first consider the many HR tasks that are part of the process, but cybersecurity is a crucial aspect of offboarding that HR leaders can't afford to ignore. HR leaders should work with other departments to ensure they and others are following proper cybersecurity protocols during the offboarding process.
Proper cybersecurity practices for offboarding begin during the onboarding process and include HR collaborating with other departments, such as IT and the company's legal department.
Here are some steps HR leaders can take to ensure they are doing their part to minimize security risks caused by a departing employee.
1. Insist on a seat at the table
Security decisions should not only be made by the employees in charge of implementing and overseeing computer systems and networks. HR leaders should contribute to decisions about employees' and contractors' physical and electronic access to company systems, and HR should have decision-making power over IT and security topics at the highest levels.
Ideally, an HR representative would serve on the company's IT and security governance or risk committee.
2. Begin cybersecurity best practices during the onboarding process
An effective offboarding process begins during onboarding. Simply hiring a trustworthy person is of course important, but HR staff must also set clear security expectations with the new employee or contractor and receive the employee or contractor's sign-off on those policies. Staff will likely take security policies more seriously if they're required to sign off on them.
HR staff should also remind employees periodically about cybersecurity expectations and think of creative ways to discuss them. Staff meetings and funny videos are two potential approaches, and almost anything is better than simply handing employees a copy of the employee handbook and failing to follow up.
HR staff should also make sure employees understand the ramifications of corporate security policy violations, and if employees violate those policies, consequences must follow. If management treats security policies and protocols as afterthoughts, employees will follow suit.
3. Disable user accounts for company systems
Employees can easily abuse computer, network and application user accounts after leaving the company if HR doesn't work with IT to make sure IT has disabled those user accounts. Account removal is also an option if doing so is legally sound or otherwise necessary. HR confirming that IT has completed these tasks can serve as a good backup.
This work should begin before any employee departure. HR and IT should create an inventory of all employees' systems access to make the process of removing these permissions as easy as possible.
4. Collect company property
Gathering devices and other hardware from employees is critical to avoid an employee keeping sensitive information or access. HR and IT should work together to confirm that the departing employee has returned all company property.
This property ranges from the obvious, such as laptops, tablets and phones, to other equipment like door badges, tokens or dongles used for system access, and USB drives. HR and IT should also consider retrieving hand-written notes and any other pertinent documentation that may contain intellectual property or customer information.
If employees or contractors use their own computers, tablets and phones, a review of those systems may be necessary. HR staff can also get more information about the employee's company equipment from the employee's manager.
5. Work with the legal department on terms and conditions
HR leaders should work with legal counsel to determine how to monitor and enforce terms and conditions of employment, including confidentiality agreements, after the employee's departure.
Terms and conditions still apply after the employee leaves, so HR staff must confirm that the employee fully understands this. HR should also discuss agreement violations and how to handle them with the legal department.
6. Notify company partners and customers
HR staff should determine who will alert company partners and customers that the employee is no longer with the organization.
Notifying partners and customers about the employee's departure is courteous and can also put them on alert for any nefarious behavior from that employee, especially if the worker left on bad terms.