All-in-one Risk Management Platform

How To Prevent a Former Employee From Becoming a Security Risk

One risk that organizations often forget to consider is that of former employees. Whether they leave under positive or negative conditions, they are uniquely positioned in a way that could become a risk to your security. Instead, let's look at some simple. yet important, ways to prevent any ex-employees from becoming security risks.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.

How To Prevent a Former Employee From Becoming a Security Risk

A few years ago, at a social event, we heard a guy brag about how he used the resources of his former company to land a major client. He believed he had learned as much as he could and had repaid the company for the training they had given him. 

When he left, he realized he still had access to some of the organization's proprietary information. He decided to use it to become a competitor and land that client. 

Here is an instance where someone left the company of his own free will, without ill will, yet he continued to illegally use the organization's resources. So we can only imagine what a disgruntled former employee might do. 

When it comes to former employee security risk, a majority of that stems from improper employee offboarding. A business puts itself at significant risk when it fails to remove a former employee from its network appropriately. 

A survey of 1,008 employees by Beyond Identity found that 1 in 4 ex-employees still had access to their employers' files. Plus, in 2020, 20% of companies reported data breaches from disgruntled former employees. 

So, what can you do to prevent a former employee from becoming a security risk?

The following list may seem simple, but the mistakes are often relatively easy to make but open up an opportunity for someone to steal information.

1. Observe the Behavior of Employees Post-Resignation

One of the earliest things you can do to prevent a former employee from becoming a security risk is to be proactive and observe their behavior post-resignation. Disgruntled people who wish to cause harm will often exhibit signs that something is amiss.

You should be on the lookout for:

  • Employees who suddenly become withdrawn or angry
  • Current employees talking about sensitive topics in the presence of a former employee
  • Former employees who leave their company-issued equipment at their desks or fail to return it as requested
  • Former employees who try to continue using access codes or badges after they have left the company

If the former employee damages company property, makes threats or opposes efforts to maintain security, these should raise red flags.

2. Conduct Exit Interviews

Many companies don't conduct exit interviews and those that do only ask why the employee is leaving. While you should still ask those questions, you also need to ask about the company's items in their possession. 

You want to ensure they do not take any company devices or information or access any accounts or systems before leaving. You must ensure that your former employees can no longer access company assets or information once they leave.

3. Change Your Passwords

To prevent former employees from accessing proprietary information and systems, you should change all your passwords immediately after an employee leaves. The best approach is to err on the side of caution, even if you have no reason to believe the employee is a security risk. 

While changing your passwords, look for other ways former employees might have access to sensitive information and take care of any holes in your company's policies and procedures.

4. Restrict Access

Folders and applications are another way to prevent former employees from accessing important data. One way is to remove them from groups with extended permissions to network resources. 

If the employee was a member of multiple groups, you might want to add certain groups back after you've removed them from the ones that grant them too much access. You should also review security groups that give access based on job title and make changes when necessary.

5. Conduct Offboarding Audit

Conduct an offboarding audit when employees resign or are terminated. You should do this within 30 days of the person leaving the company and cover all devices used while you employed them. 

The audit should include checking email accounts for any confidential information that might have been downloaded or sent. Check if files have been deleted from shared drives or cloud services.

“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

6. Set Up Automated Information System

There are times when people in I.T. may be unaware of an employee's departure. It would help if you avoided situations like this by setting up an automated system that deactivates inactive accounts and changes passwords after a specific time. This will ensure that your former employee's access to the company network can be disabled quickly.

7. Make Data Encryption a Consistent Practice

As more employees adopt a bring-your-own-device (BYOD) policy, it's critical to have data encryption software installed on every device that accesses your network whether an employee is a current employee or no longer with the company.

When considering employees who have amicably left the company, you may be more inclined to let your guard down. However, this is when you're most at risk of facing an insider threat. 

Many former employees will still have access to your network and won't have any qualms about taking advantage of that access if they feel it benefits them in some way. That's why it's crucial to keep security measures consistent across the board.

8. Issue Warning During Onboarding

The first step in preventing a security breach by a former employee is to make sure they understand the risks and consequences during onboarding. The warning could include information such as:

  • Potential legal ramifications of taking or sharing proprietary data, including criminal charges and fines
  • A statement that all data belongs to the company, regardless of who created i.
  • The importance of protecting proprietary data for the good of the company and other employees

Beyond this, make sure all employees read and sign an acknowledgment form related to the proper handling of confidential information, whether it's physical or digital. Include language that makes sure employees understand that these rules still apply even after leaving the company.

9. Try to End Things on a Positive Note

Some former employees will leave on bad terms. But the best way to avoid a disgruntled ex-employee becoming a security risk is to try to leave them with a positive impression. A simple thank you note, praise for their work, and even a gift card can go a long way.

You might even consider sending your former employee an email before they leave, just to express your appreciation and to let them know you have no hard feelings.

It's also essential to take care of any other issues related to benefits or severance packages or any concerns about fraud or theft. If you don't do everything you can, your reputation may suffer, and it could be challenging to find great employees in the future.

The Bottom Line

Employees who leave your company take along a lot of knowledge about your business. Perhaps they know where you store your financial data or have an understanding of the inner workings of your network's security software. 

While these details might seem innocuous to you, they could present a tempting opportunity for an employee who has left disgruntled. To prevent this, you should have an effective offboarding plan in place. 

This should include issuing a warning about the importance of protecting confidential information and setting up security measures on their access devices. Again, many of these things seem elementary but when executed consistently, they can go a long way to prevent former employees from becoming significant security risks. 

Like what you see?  Learn more below

One risk that organizations often forget to consider is that of former employees. Whether they leave under positive or negative conditions, they are uniquely positioned in a way that could become a risk to your security. Instead, let's look at some simple. yet important, ways to prevent any ex-employees from becoming security risks.
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
What You Need to Know About Data Encryption
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
Five Principles of Risk Management
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)