It is already a strenuous event when an employee quits, but it is crucial to follow best practices to keep company data secure after their departure. Employees have access to sensitive company data that they could exploit, especially if they quit for a negative reason. Having proper steps in place when an employee leaves can help a company avoid a data breach.

Importance of Cybersecurity

Cybersecurity threats have been on the rise in recent years, with data breaches costing $4.45 million per incident in 2023. While cyberattacks from external bad actors, such as phishing or ransom tactics, are more common and newsworthy, the threat posed by disgruntled employees can sometimes be greater. These individuals have free access to a company’s data, so it is essential to take necessary action when an employee resigns.

Best Practices When an Employee Quits

Former employees can contribute to cybersecurity concerns, intentionally or unintentionally. Below are some of the best cybersecurity practices to implement when an employee leaves, ensuring a company’s data remains safe and secure.

Establish Policies 

Procedures must be in place to address potential cybersecurity concerns. This can take the form of training current employees on how to protect the company’s data or requiring strong passwords and two-factor authentication. If an incident does occur after an employee has left, it is beneficial to have an incident response plan in place to avoid last-minute scrambling. A plan might include clearly defined roles, document procedures, incident containment and recovery systems. 

Company policies should also include social media best practices. Current employees have unknowingly caused the theft of sensitive company data by posting videos or pictures at their workplace. The computer in the background of a post could contain and expose confidential information. This can erode trust between companies, employees and clients, so there should be strict camera rules in the workplace.

Remove Access

An employee often has access to numerous accounts and facilities that could be compromised if they continue to revisit them after leaving. Prime examples include emails, shared accounts, building access, employee accounts, file sharing capabilities, phones, voicemails, VPNs and remote desktop access. All of these should be deleted or deactivated to avoid potential issues if the employee were to log back in.

Companies also often provide employees with devices for work-related tasks. Some devices include phones, computers, key cards or hard drives. Collect these devices after an employee leaves, back up the important data and then wipe them clean. This ensures data protection and prevents the former employee from continuing to use company property, possibly for malicious purposes.

Update Information

Employees have some company information memorized, like building access codes or passwords. Changing this intel after an employee leaves prevents them from re-entering the building or logging into secure networks. If they have access to accounts on their personal devices, wipe that information as well.

When dealing with cybersecurity, it is essential to operate with a zero-trust policy, which involves verifying every device and user to ensure they are allowed to access the company’s credentials. Changing passwords, PINs and codes prevents unauthorized former employees from accessing this information without permission.

Inform Departments

Transparency is crucial in a company, particularly when it comes to cybersecurity. Letting the team know about the employee’s departure is essential because it informs them that they should not discuss classified company information with the former employee going forward. It also might alert them to any red flags if the employee does reach out.

IT professionals within a company should also be aware of an employee quitting, so they can effectively remove the employee’s access to important accounts and information hubs. It also lets them know they might have to monitor the data to ensure no third parties are trying to access it.

Hold Exit Interview

The exit interview is critical in outlining what is expected of a departing employee. Be upfront, brief and professional. Discuss a clear offboarding plan with them, outlining what devices they must return, how to log out of their accounts and how to reach them if the company needs more information. Along with providing closure, an exit interview is also an opportunity for a company to receive candid feedback that it can apply going forward. 

Ensure that the employee signs a nondisclosure agreement to prevent them from sharing company information with any third parties. Another helpful document would be a signed form stating that they have returned all company-issued devices and successfully logged out of all accounts, further enhancing the security of company data.

Monitor Afterward

After an employee leaves and all necessary precautions are in place, the IT department should pay extra attention any accounts and the movement of company data. Ensure that former employees do not have any remote access to accounts and search for suspicious activity accordingly. This includes checking company devices for viruses and other harmful malware.

Monitoring social media after an employee quits is also necessary to ensure the company’s reputation is not being tarnished. A former employee might take to social media to complain or voice concerns about what happened, bringing negative press to the company that could harm its reputation and lead to possible years of retribution. 

No Hard Feelings

These cybersecurity precautions should be implemented for all employee departures, regardless of the reason for leaving or the employee's prior trustworthiness. While it is not uncommon for an employee to be upset about leaving a company and talking about it, sometimes sensitive data about that company can still get out during those moments and cause intentional or unintentional problems.

Proper offboarding procedures do not mean that anyone is holding grudges — the company’s safety is of paramount importance, so ensuring data security must always be a top priority.

Protect Company Data

When an employee quits, a company can protect its data by limiting access to current workers only and having policies in place for employee departures, regardless of the reason for leaving. This keeps sensitive information private and reduces the risk of a disgruntled employee in the future.