How should a business approach the end of its relationship with an employee from an IT point of view? Having a plan in place for this separation and taking into consideration the cause of this separation – retirement, amicable parting for new opportunities or termination – can help to ward off any IT surprises and put the company in the best possible position to move forward post separation.
Hopefully throughout your employee’s development, your business has worked hard to instill a feeling of investment in and commitment to the organization. By balancing the organization’s trust with the employee’s recognition of the level of responsibility that goes along with that trust, a mutually beneficial relationship should have developed that enhanced not only the employee’s personal development but also the operations and outcomes of your organization.
In these cases, upon the departure of an employee due to retirement, relocation or career change or new but not competing opportunities, IT considerations are rather straightforward. Unfortunately, these types of employee relationships are not always the case and sometimes a termination may result in additional protection needed to ensure that sensitive company data is not taken along with the departed employee.
In either situation, some IT separation procedures are patently obvious, like deleting an employee from the company website and phone and email directories and making a plan for what happens to inbound emails and phone calls as well as voicemail access. Others — such as those that deal with an organization’s BYOD (Bring Your Own Device) policy — are less obvious. A departing employee’s iPad, smartphone or other personal device that was used for business purposes, either as an integral part of their job or even only occasionally, could contain confidential information. You should review usage and determine whether your IT team or managed services provider should “wipe” the device clear of any business-related information.
And if there is some malicious intent present, personal devices offer an incredibly easy way to take information without detection that could potentially harm the company.
Now too is the time to review the latest iteration of your SOP (standard operating procedures) and WISP (written information security plan). Most likely, you added onto them as your employee developed and became more trusted. By reviewing these procedures, you will have a better sense of the employee’s span of IT access and where information may still be stored but possibly forgotten about.
As part of an employee’s exit interview, he or she should be asked to sign a release declaring that he or she did not take or distribute company information; even accidental release of information in this way may make the company liable depending on the sensitivity of the information the employee had access to. If the business has not taken reasonable care to protect the data, such as having the employee sign this release, the business will be liable.
This is also why employees should have undergone and been documented for additional security trainings as new responsibilities and access were acquired and why it’s so important to continually update the company’s acceptable use policy and WISP. Although an employee may have built up a trust with the company and, as a result, gained permission to access valuable or confidential information, depending on how they leave and whether you trust them, all of these efforts matter.
Certainly organizations can take on these kinds of responsibilities themselves, but for those that don’t have the resources to oversee this level of information technology, it makes sense to find a managed services provider (MSP) that your company can partner with. There are a wealth of considerations that begin before a new employee is even hired and that need to be maintained throughout the development life cycle of the employee through to retirement. A partnership with an MSP will recognize and anticipate those considerations and where the issues intersect with their responsibilities, they will enforce and execute the processes and procedures, leaving you able to focus more of your attention on other aspects of your business.
When employees separate, whether by will or by ill, many new IT considerations develop and need attention to ensure the protection of your business and possibly your clients. In the final article of this series, we’ll discuss IT considerations for your business from your clients’ perspective.
Al Alper is CEO and founder of Absolute Logic, a technical support and technology consulting company in Wilton, Connecticut, and a national speaker and author on IT and security issues. He can be contacted at [email protected] or 855-255-1550.