With all the recent news stories about increased employee resignations and firings, let’s talk about the risks to your business from insider threats, and recommendations for creating a robust Personnel Termination Process.

Here are some quick stats:

  • Employees have access to an average of 11 million files (Source: Varonis)
  • 17% of sensitive files are accessible to all employees (Source: Varonis)
  • 44% of all financial and insurance industry data breaches were caused by malicious employees (Source: Verizon)
  • 64% of insider attackers are motivated by money, 36% are motivated by a combination of laughs, a grudge, espionage, convenience, and/or ideology (Source: Verizon)

Now, there is a lot that goes into protecting sensitive data up-front (privileged access policy, change management policy, systems configurations, etc.), but we’re only going to discuss the termination process and who should be involved.

Creating the Process:

First, identify, define, and classify sensitive data and secure systems.  Sensitive data might include HR documents, Personal Identifiable Information (PII), customer information, company intellectual property and company digital assets (forecasting model spreadsheets, service deliverable templates, etc.).  Secure systems might include company physical assets (computer, phone, tablet, buildings, vehicles, etc.), banking access, ERP or other business system access, HR system access, accounting system access and company document storage access. Define the sensitive information and/or risks in each and classify them in a way that adds clarity to the severity of their sensitivity, and therefore the priority in your processes.

Second, create a process for handling an employee and subcontractor termination.  Some keys to this plan include:

  • Defined personnel responsibilities – List the personnel or personnel titles who are responsible for each step in the termination process. Require formal sign-off for accountability and records.
  • Timing – Seconds matter with personnel terminations and this needs to be formally documented. The personnel in the step above need to understand the importance of this timing.
  • Based on the sensitivity classification given above, prioritize the higher-risk data/systems.

And lastly, the internal managers need to be trained on the process with routine training sessions to keep the knowledge fresh and to update them on any changes that have occurred since the last training.

Keys Items for Success

Though employee and subcontractor termination policies are highly customized to the organization, here are some helpful ideas that we’ve used over the years:

  1. Ownership – Define one person to own the success of the entire termination process. Typically, this is someone in HR.  Now, this doesn’t mean they complete every step of the process, but simply that they take the lead in its management and success.
  2. Timing – The termination process needs to begin before an employee/subcontractor is informed of their termination. In our experience, informing the IT person the day before the termination, with the exact time the termination meeting will be held, will allow for the greatest reduction in risk.  While the manager is meeting with the employee, the IT person can remove all access and forward communication as necessary.  Sometimes companies prefer to have the IT person wait until the terminating manager sends them a message, just in case there is a change of some sort that is decided during the termination meeting.
  3. Manager Communication – If the termination process fails, it’s typically because managers and their bosses are either unaware of or don’t think of following the process before a termination has occurred. It’s critical to educate all levels of leadership in an organization and have refresher training sessions at a defined frequency.
  4. Process Tracking System – Have a system of some sort to communicate and track the termination process. We’ve had clients use a form with checkboxes and sign-off fields that is shared with the owners of each step of the termination process.  Another option is running the mini-project through a project management tool.  Care must be taken to make sure this project is hidden from most employees, of course.

Though insider threats are a serious risk to SMBs, having a solid personnel termination process in place adds another layer of protection to your cybersecurity program.  Proactive planning, communication, and coordinated timing are key components to the success of this challenging but necessary aspect of any business.