Endsight Blog

IT Security for Employee Termination - Policies, Checklists, Templates

Written by John Campbell | October 23, 2020

Severing a professional relationship is difficult, especially when it is an employee termination. No matter the situation, IT security cannot be ignored. Because of that, your IT support team needs to be a part of the discussion before the termination occurs.  Before you do something you will regret, take a deep breath, and make sure you have your employee termination process dialed in. 

Terminations are easier when IT security policies are in place

As the manager and HR are conducting the meeting with the employee, you'll want IT working to spin-down all accounts and access by the conclusion of that meeting.

While malicious damage to company systems rarely comes from disgruntled employees, it does still happen. One of the best ways to protect your organization is to prepare these security protocols ahead of time. Whether you think the employee is a threat to your network or not, the following steps should be put in place to protect your security.

Policies to prevent ex-employee security breaches:

  • Ensure your organization has a comprehensive and robust security policy in place that protects against malicious outside actors, particularly centered around your firewalls, sensitive systems, and applications.
  • If you don't have an IT provider well-versed in modern IT security management, then strongly consider hiring one.
  • Enable and enforce MFA across your organization.
  • Verify you have healthy backups of all internal systems going back at least 90 days.
  • Ensure you have password rotation policies, with a maximum age of 90 days.
  • Make sure you have a well-written Acceptable Use Policy and that all your employees read and sign it.
Check out some of our other content on IT security

What if you have to offboard an employee on bad terms?

If you suspect an exit interview may go quite badly, try to minimize any humiliation or embarrassment on behalf of the ex-employee, but consider having additional employees or a protective detail on stand-by as well, making sure they are inconspicuous throughout the process. This dramatically reduces the chance of retaliation but also maintains respect within your remaining workforce.

Regardless of which approach you choose, terminating an employee is never fun. There is no one size fits all approach, and you may have to pivot quickly based on how the meeting progresses. Above all, you need to make decisions that protect the company, the departing employee's dignity as much as possible, and maintain your remaining employees' respect.

Once you're in the termination meeting, make sure your IT department has instructions such as the following, at a minimum. You may also want to ask them for further advice to be as thorough as possible.

Checklist prior to the termination meeting:

(This is where you cover your assets.)

  • Disable MFA (multi-factor authentication) – This should be the very first step, assuming your organization has already implemented MFA across the organization. If you haven't, make MFA implementation a priority in your project list, starting today. Having MFA enabled on as many systems as possible allows you to shut down access to all of those systems in a single action. This is by far the fastest and most effective step you can take during an employee termination procedure.
  • Change the employee's password and disable their Active Directory (AD) and/or 365 user account(s). This may seem redundant, but in the heat of employee termination, taking these two steps together greatly increases the chances that at least one of them gets done if the other one is missed.
  • Remove the employee from all access to AD and/or 365 groups and memberships, as well as phone systems account, social media accounts, etc. This helps ensure any group-based permissions are removed and minimize future reminders to other employees about the termination.
  • Disable their computer account. This is an additional step that helps reduce any chance of re-entry into your systems.
  • Change and disable application-level passwords and accounts. Start with the business-critical applications first, such as CRMs and Financial applications. Don't forget other commonly overlooked applications such as Dropbox, which can be configured to sync data to a personal home machine.
  • Address the employee's email account. Never forward email to an external email address and be very wary of forwarding email internally to the employee's replacement, if there is one. To protect both the company's and the employee's dignity, the best way to approach this is to forward email only to the direct manager of the employee who just left the firm. While company systems should only ever be used for company business, we know human nature pulls some people in the opposite direction. Protecting the employee's dignity by limiting exposure only where necessary will not go unnoticed in the rest of your organization. The employee's manager should spend the next 30 days updating any employee accounts to a centralized email address wherever possible, or the appropriate employee or manager as needed. If you suspect legal action, make sure you keep the employee's email data on hand to support your case.
  • Recover all equipment such as laptops, cell phones, or software licenses and either return them to the company's stores or earmark them for future employees.
  • Communicate the termination to the rest of the organization. It is critical to do this with dignity to both the company and the departing employee, even though your audience is your retained employee base. Handling this poorly will negatively affect morale at your organization.

Ensure disgruntled employees do not regain access

To expand on that last point, immediately informing your employees of the termination. This will limit the possibility of anyone accidentally giving the departed employee access to sensitive information. Communication with the organization should be done as firm and as transparent as possible while respecting the departing employee's privacy. There is no need to divulge details as to why the employee is no longer at the company, merely that they are no longer employed, and it was best for all parties.

Termination announcement templates you can use:

As of today, (Full name) is no longer with the company. We wish (first name) the best in their future endeavors. If you have any questions, please do not hesitate to contact your direct manager or me."
Please be advised that (full name) is no longer with the company as of (date). We ask that confidential or proprietary matters to our company are no longer discussed with (first name). (First name)' s responsibilities will be taken care of by (person assuming responsibilities). Please contact (person assuming responsibilities) if you have questions.
Unfortunately, I am writing to announce the departure of (full name). We wish (first name) the best in their future endeavors. (First name)' s responsibilities will be taken care of by (person assuming responsibilities). Please contact (person assuming responsibilities) if you have questions.

Always keep your process document library up to date

Once the process is complete, make sure to update your living document of termination tasks for all involved parties tailored to your particular organization, including managers, HR, and IT. Specifically, if anything you did as part of the termination that is not in your checklist, add it. Just because you have been trained differently from what the process documents say doesn't mean that your process's inconsistencies are okay. A clear process is crucial for building an organization that thrives.

Things will change over time, but keeping this list up to date will ensure you don't have to figure it out on the fly each time you need to go through an already stressful situation.

Now, it's time to get back to business and move your organization forward. If you want to drop any questions or comments in the thread below 👇, we are happy to discuss it. Good luck!