When employees and employers say farewell, it can be a pleasant or difficult situation. Regardless, significant risks exist when former employees continue to have access to their previous work environments.
Under the best of circumstances employees will leave the company on great terms. They could be retiring, starting their own company, taking a well-deserved break from the working world to focus on family or other personal pursuits. Some may even to return one day as a valued employee. Other situations may not be as positive. Layoffs, downsizings, a competitor swooping in with a successful headhunting raid and scurrying off with important talent, can put a permanent strain on the relationship. It really does not matter the circumstances, when an employee leaves, they take with them inside knowledge of the business and likely important information about the company.
Most of the time this information is limited to memory as employees are usually forbidden to copy or take property when they leave as stated in their original hiring agreements. Well-handled exit interviews will remind and reinforce this fact.
As part of the exit process all access and credentials should also be removed or changed. This includes login and remote access accounts, entry badges, email and company social site logins, company phones, and of course all computing devices. As they no longer represent the company, their access and credentials should be identical to those of a stranger on the street. It may seem cold, but it is a necessity that protects both the company as well as the departing person as legacy credentials of departed employees can be used maliciously by others as well as the former trusted worker. It is better for all if they are securely removed.
It sounds like common sense, but a recent survey conducted by Harris Interactive on behalf of Quest Software, indicated 1 in 10 IT professionals stated they could access accounts and systems associated with a prior job. This is a significant problem. If this percentage were to hold true across organizations, it could represent a serious aggregate risk depending upon the number of people who leave a company.
Every organization should have a process to protect the company. Human Resources, Information Technology, Information Security as well as the manager of the employee should be following an approved checklist to insure consistency and comprehensiveness for every exiting employee. This process must be maintained and updated to remain effective.
It is critical for access boundaries to be secured from people who do not have a legitimate business need. Closing the door on former employees is an important task in managing the information security risks of an organization.