Network hardware failures. Internet outages. DDoS attacks. These are the types of disruptions you probably spend your time preparing to handle. But there’s another potential source of trouble that most IT pros think about much less frequently, and which happens far more often: employee offboarding.

Whether an employee is leaving to pursue another opportunity or an employee is being terminated, you need to make sure your company’s network and data are secure. All too often, departing employees retain access to IT infrastructure they could choose to abuse—especially if they’re leaving on a sour note.

If someone can still log in to servers, access confidential data, or even just tweet in the company’s name, they can wreak havoc in ways that reflect very poorly on the team that’s responsible for keeping the network and other infrastructure secure and stable. That’s you!

Insider threats are a bigger issue than you might think

According to a 2020 study by the Ponemon Institute, the average global cost of insider threats—which include disgruntled employees—rose by ​31% since 2018 to $11.45 million​, while the number of incidents spiked by ​47%​ during the same timeframe.

Insider threats have become such a problem that 24% of small- to mid-sized businesses are more concerned about attacks from ex-employees than from hacktivists, competitors, or state-sponsored hackers. And SMBs have reason to worry—in a 2017 survey of 500 IT decision makers, 20% said their organizations have already experienced data breaches by ex-employees.

But why are the numbers so high? The answer may lie in how long it takes for companies to fully remove departing employees from network and application access. In the US, 21.7% of companies say it takes them up to a month to fully deprovision a departing employee, while 14% say it takes them up to six months.

Equipped with their login credentials, ex-employees can wreak serious havoc on the network or steal sensitive data and files. If your company relies on cloud-based file-sharing platforms like G-Suite and Dropbox, it’s even easier for malicious or disgruntled ex-employees to cause problems.

Luckily, there are ways to mitigate the risk departing employees pose to your network, and the simplest one is to start creating an employee offboarding checklist.

Creating an employee offboarding checklist

When you’re notified that an employee has handed in their notice or is being terminated immediately, your employee offboarding checklist should be your go-to document.

Your specific tasks will vary according to your business and, of course, and the timing of each step will depend on if the employee is the one making the decision to leave. But here’s a general checklist to help guide you:

  1. Retrieve or disable all company-owned physical assets. Depending on your business, your list of equipment to collect may include a laptop, phone, tablet, keys, ID card, magnetic swipe card, security token, and more. Have a list of all the equipment typically issued to each employee so you can do a reverse checklist when the employee leaves.
  2. Disable all internal user accounts to which the employee had access. Doing this effectively means having good management infrastructure in place so you can quickly identify the accounts that need to be shut down.
  3. Change any shared passwords the employee knew, and shut down their access to off-premise or third-party services like G-Suite, Dropbox, OneLogin, and 1Password.
  4. Disable access to the employee’s company email and instant messaging account. As soon as an employee is terminated or are signing off on their last day, you’ll want to disable their access to their company email address and forward the mail to someone else at the company. If your company uses instant messaging apps like Slack or Microsoft Teams, you’ll also want to disable the employee’s account there as soon as possible.
  5. Disable access to the employee’s phone and voicemail account. Lots of employees rely on apps like Zoom for phone and voicemail, so you won’t want to forget to disable access here too.
  6. Terminate VPN and remote-desktop access. This might seem like a no-brainer, but it can be easy to overlook. Today’s VPN configurations tend to be huge and complex, making it easy to leave open some of the VPN pathways that the former employee might use to get on the network.
  7. Change door codes or PINs to disable physical access to the company’s premises. If someone other than you—like a security manager or operations manager—manages these, make sure that person acts promptly when the employee is terminated to prevent unauthorized access to the office.
  8. Perform a complete backup of the employee’s hard drive if the data isn’t already saved and archived in the cloud or as part of your company’s general back-up routine.