Today, user data is valuable, and hackers have understood this.
Data security is therefore a top priority for companies and organizations.
Offboarding is a secondary, even forgotten subject in many companies, whereas onboarding is a major issue for human resources. The competition for candidates in certain sectors, and the need for employee wellbeing, has raised awareness of the importance of integrating new employees.
But managing employee departures is just as crucial.
Please note that offboarding is not just a nice e-mail from HR, a farewell drink and the return of badges 😉.
This is a key step from both HR and IT points of view. Let's focus on the IT side: the main aim of offboarding is to manage and control security risk.
Indeed, a poorly supervised departure can leave loopholes that can be exploited, whether by disgruntled employees or simply through negligence. For example, user accounts that are not deactivated, or equipment containing sensitive information that is not recovered, can be entry points for cyber-attacks. Two facts are worth noting in this context: the management of departures is still largely manual, and many employees still leave the company with their old access rights.
1. Revoke all access immediately after the employee leaves the company.
Clearly, this is the neuralgic point in the organization of departures: the deactivation of access to information systems.
It's simple: if you neglect this step, you expose yourself to major safety risks. Let me put it simply: last time I went out through the garage, which never happens to me, and I was in a hurry. I came home 4 hours later to find my garage door wide open (with direct access to my house). I was extremely lucky, but nothing was missing. The story is true, and you're probably thinking that it's madness to leave your door wide open on a busy street... and yet every company that doesn't automate its offboarding leaves a door open every time it forgets to suspend the accounts. It took me 4 hours, and you?
Let's return to our situation. The employee leaves the company:
Scenario 1, he's on good terms with her. Access is therefore open and unmaintained, with no updates, no password revisions, no monitoring, until it is discovered and used in a data theft. Access management is often not properly mastered, and admins grant too much access, which worsens the situation if a third party takes control of the access.
Scenario 2, the employee is on bad terms with the company. He leaves the company and uses his access to harm, use, sell, delete data, disrupt operations...
You've understood the importance of this point, now let's move on to the means of action:
→ You have a manual organization of offboardings and the task looks complex because holes in the racket will exist. You're going to have to set up rigorous processes between HR, managers and you, the IT department.
→ You've realized that manual management isn't feasible, especially on a large scale, and you're automating offboardings. Which tool should you choose? Should you use an HR or IT tool? The answer is simple: you need a tool that makes the link between HR information (arrival, departure, transfer, manager) and IT information (accounts linked to a user, rights, licenses). An IAM tool manages exactly this kind of need.
You will therefore synchronize your HR data, which will send arrival, departure and transfer notifications to your IAM tool, which will use workflows to automate the suspension of offboarding accounts.
We no longer rely on human responses, but on computerized automation. On top of this, security scans are performed several times a day to flag up any deviations that might be suspicious.
The IAM tool must list all user accounts, especially those linked to the Active Directory, as this is the central point of the IS. Accounts must be deactivated or suspended as quickly as possible after the employee has left. It's best to schedule it for the end of the last day.
You'll need to draw up an inventory of the employee's access rights, and this won't be possible without a tool for centralizing information. IT environments are extremely varied, and SaaS, hybrid and on-premise solutions need to be carefully managed.
Need to discuss your processes?
15 minutes to see if we can simplify your access. No pressure, no obligation.
2. Unreturned equipment: a risk of data leakage
Another major risk when offboarding is the incomplete return of IT equipment. Laptops, phones, USB sticks and other devices provided to employees may contain sensitive data or access to internal systems. If these devices are not recovered or properly cleaned, they can become potential sources of data leakage.
It's common for sensitive information to remain stored on employee hardware, such as strategic plans, customer information, or ongoing projects. If this material is lost or used inappropriately after the employee has left, it can lead to data leaks that could damage the company financially or reputationally.
As a reminder, the loan of equipment must be perfectly supervised within the company, and must not be carried out on an informal basis. The equipment loaned by the company must be used for professional purposes only, and any mixed use must be set out in a contract beforehand. The risks are greater when use goes beyond the professional framework.
When the IT team collects the equipment, it must ensure that it is the same as that loaned, and that it is in good working order.
How can this be automated? It's difficult to automate hardware takeover 😉 but it's perfectly possible to know what each employee owns. In your IAM solution, Identity and Access Management, you can add hardware to a user's record so when offboarding, you'll have an alert about hardware possessions to recover.
3. Regular audit and control of access following offboarding
Once you've completed the previous two points, you need to make sure that everything has been removed. To do this, it's not enough to have confidence in a team or a solution: you need to carry out an access audit.
It's important to ensure that no entry point has been overlooked. Regular auditing ensures that all accesses have been properly revoked, and that no sensitive data has been left accessible.
It often happens that certain secondary systems or collaborative tools are forgotten when accounts are deactivated. A post-offboarding audit can verify that all accesses, including those to less-used services, have been revoked.
Even with an automated process, errors can still occur (because there are always manual actions). A final audit is a good practice to ensure that no oversights put the company at risk.
A manual audit is time-consuming, requires a lot of company resources and is likely to contain errors.
Centralizing information within an IAM solution is a prerequisite for this audit. The task of integrating a new application into the solution must be carried out immediately and without friction, otherwise you'll end up with shadow IT. Every account created must be linked to the user's file.
When I talk about friction, you need to understand that to avoid shadow IT, you need a smooth integration process for new applications. At Youzer, for example, you have two types of customized connectors, one of which is a self-service connector. In other words, it works manually, without any technical integration, but it allows you to leave a paper trail of actions carried out, such as assigning an account to a user.
The aim of the audit is, of course, to reconcile active accounts with departed users.
Our advice? Regularly audit the access rights of current and former employees to ensure that good practices are maintained over time.
Need to automate your accesses without IT work?
In 60 minutes, find out how Youzer makes your onboarding and offboarding more reliable, and saves you several hours a week on the IT side.
4. Offboarding also requires team cooperation
Implementing a secure offboarding process requires not only technical measures and protocols, but also team training and awareness-raising.
You may have thought through the best process and have the best tool for managing departures, but if your internal teams don't play along, it's all in vain.
Managers, HR and IT are all involved in IT offboarding. It's important to raise awareness among all stakeholders to ensure that the process runs smoothly. Talk to managers about security risks and the importance of allocating and recording all applications used by teams.
As far as human resources are concerned, the IAM solution synchronizes with the HRIS to collect arrival and departure dates, thus eliminating the risk of oversights that can lead to errors. This will not prevent oversights, however, if trainees of less than two months' duration, service providers and temporary staff are not reported by HR and managers.
Applications that are still managed manually should be assigned to an application manager, who will be responsible for assigning and deleting accounts. This should be done using workflows in which the manager validates his or her actions. A sort of checklist automatically assigned to a dedicated person.
5. An automated employee departure process
Applications or software are there to help teams, and that's why they need to be chosen with care. Excel is often the software that comes to mind when trying to organize IT offboarding within the company, except that Excel quickly finds its limits. I've already seen some videos on how to create a good Excel file for user lifecycle management, and I wish you good luck if you're going into something as advanced as this.
In reality, companies have a file shared between HR and IT for onboarding, which is more or less up to date, and something random for offboarding. It's worth remembering that the creation of IT accounts has to be done under penalty of having a colleague blocked, whereas the suspension of accounts has no blocking points that would absolutely require action.
Well-managed offboarding requires a written departure process that everyone is familiar with.
That's why an identity access management application will help you structure your process with alerts, checklists and workflows. Once you've defined your different scenarios for departures, arrivals and internal mobility.
💡 Here's a little tip: be careful to define your needs carefully, because a solution that's too complex for your requirements can quickly become a project in which you get bogged down, even though it was originally designed to relieve and structure your day-to-day work.
We've seen companies make choices based on the major American references on the market, and a year later still have nothing in place.
You need to consider your level of autonomy with regard to the application. For example, do you prefer to manage the IAM solution yourself, connecting your different applications, creating and modifying your workflows in total independence, or do you prefer to have a consultant with you?
Youzer is the perfect solution for SMEs and ETIs looking for a powerful yet autonomous IAM. The solution is easy to use, with extensive parameterization capabilities, and support hours can be defined. Our support team will be on hand to assist you with any queries you may have.
Conclusion
IT offboarding is a crucial step in corporate data security. All too often neglected compared to onboarding, it represents a major challenge in preventing the risks associated with cyber-attacks and data leaks. Simple measures such as immediate revocation of access, complete return of equipment and regular audits are essential to secure sensitive information.
The key to successful offboarding lies in automating processes and integrating an IAM (identity and access management) solution, which enables centralized management of user accounts and guarantees rigorous access closure. Last but not least, close cooperation between HR, IT and management teams is essential to ensure the smooth and secure management of departures.
