Disgruntled Employee Quits: How to Ensure Data and Network Security

Today’s most damaging security threats not only originate from malicious outsiders or malware but also insiders with access to sensitive data and systems. According to a recent Insider Threat Report by Cybersecurity Insiders, 63% of respondents said those with privileged access pose the highest risk to the organization. A single incident caused by an insider (or someone who continues to have the privileges of an insider) costs a company upwards of $750,000 per incident, including investigation, response, and remediation, according to the Ponemon Institute.

In most cases, internal breaches often coincide with employees leaving the company. Employees who have been let go and those leaving under duress have been known to take actions that harm the company on their way out using still-authorized logins. Ill-meaning employees can use their remaining access to steal or delete critical data, steal client contacts, access company financial records, or steal business intellectual property to gain a competitive advantage with a new employer. Plus, they have a much greater ability to cover their tracks as they often know their way around the network.

So what can your organization do to prevent a disgruntled employee from causing a cybersecurity incident?

Digital Offboarding: What to Do After a Disgruntled Employee Quits

An effective digital offboarding of staff is a critical step in maintaining data security and protecting your organization from malicious insider threats. These actions should be carried out immediately after the disgruntled employee quits.

  • Revoke system access from your IdP and SSO: Your Identity Provider (IdP) is usually the first port of call because it is the access point to many other internal and external systems. Log in to your G-suite or Azure Active Directory admin console and suspend or disable the user. If you have a Single Sign-On (SSO) solution, then disabling the user account on your SSO is one of your most important steps since the mission-critical systems are protected behind it.
  • Disable email access: A disgruntled employee will most likely try to send out a final rant-filed email to the staff, vendors, or customers. So be sure to disable and revoke email access before they get a chance. Change their password in your email system or Active Directory. If the employee used a personal cell phone or tablet to access work email, wipe or remove the email account. To ensure business continuity, forward the emails of the departing employee to a colleague or a manager, at least temporarily.
  • Disable cloud access immediately: To prevent access to your company’s critical cloud data, disable the employee’s cloud account first by changing the password. You can then move the account data to another user and delete the employee’s account.
  • Terminate VPN and other remote access methods: It is common these days for employees to have remote access to internal or cloud services, whether they work from home or a satellite office. Ensure you revoke the employee’s access from all logging methods into the VPN, remote desktop, or other remote access forms. Confirm that no remote access software is installed on their workstation, such as TeamViewer, which they might use to access the computer or your network.
  • Change shared passwords: Many employees will know passwords that their entire team or department shares. Because there is a possibility that a disgruntled employee may try to log back into these shared resources, and you cannot block them by managing their logins, a change in password will be necessary. Revoke all existing tokens and sessions and create a new password. This is especially important if they have access to the company’s social media account –  this is where PR crises can spiral out.
  • Recover company devices: Many employers give their teams mobile devices and laptops that meet the company security, performance, and uniformity standards. These devices usually contain proprietary company information and will likely be auto-logged into various company apps and online resources. So make sure to take back any company phones, laptops, or computers that the employee has and review their devices for malicious software or other system or data compromise indicators.
  • Wipe company apps and data from personal devices: If your organization uses the BYOD or Bring Your Own Device policy, remove any apps or data that contain proprietary information or provide access to company resources from the employee’s personal devices. You will need to ensure that all company-related data is wiped from their devices, including app metadata and anything stored in their phone’s filing system.
  • Communicate with other employees: In a company with several employees, news of the disgruntled employee quitting may not spread fast enough. To prevent anyone from unwittingly giving network access to the employee, communicate the employee’s termination to the rest of the company.

Insider Threat Management From Disgruntled Employees

Disgruntled former employees represent a new worry for business leaders. But as long as companies actively work to protect their systems, risks from an angry ex-employee can be kept to a minimum. Here are some proactive steps you can take to protect your company data and network.

  • Use a zero trust model for security: Once an employee leaves, security should consider a zero trust model (if you don’t use it already) as part of the offboarding process. You should also assume that any attempt to log in is a potential threat, requiring action.
  • Develop an incident response plan: When an insider breach occurs, it’s essential to have processes in place to gather and analyze the necessary data to ascertain which systems were accessed, which users have access to those systems, and what data was exposed.
  • Closely manage permissions: Managing user account privileges is critical in reducing the risk of malicious compromises from disgruntled employees. Organizations should adopt a least privilege policy – ensuring employees only have the minimum set of system privileges required to perform their duties. As employee roles change, it is also vital to regularly review permissions and ensure that privileges are immediately revoked when employees depart.
  • Conduct proactive monitoring: Thorough monitoring is the basis for threat detection. Monitor user activities and identify anomalous behavior. Organizations should use monitoring systems to track, log, and create alerts when unusual behavior is seen.
  • Avoid shared user names and passwords: Shared accounts are lousy security practices and should be avoided as they pose security and compliance risks. Trying to trace whether an ex-employee has access to a shared account is a problem that you can avoid.

Secure Your Company with 4BIS.COM

An employee should leave the company with the exact amount of digital access they arrived with — none. For many organizations, an in-house 24/7 security monitoring capability to prevent, detect and respond to insider threats and other malicious activity is unrealistic. This is where we come in. By working as an extension of your IT team, 4BIS.COM can help protect your business from security threats from disgruntled employees. Our cybersecurity solutions combine identity and access management, user activity monitoring, behavioral analytics, alerting, investigation, and remediation to ensure your computers and network are secure.

If you need help with cybersecurity or other IT services in Cincinnati, 4BIS.COM is your go-to IT service provider. Our comprehensive services include IT support, server and network monitoring, IT consulting, cloud services, disaster recovery, and IT engineering. Contact us today to schedule a consultation.

Written by James Forbis
Posted on: October 12, 2021