Do ex-employees still have access to your data?​

When an employee leaves, would you let them take their company-issued devices with them? 

These devices may be company property, but they also often contain a tonne of company data. You don’t want to risk a data breach by allowing ex-employees to walk out of the door with confidential information! 

But what about a former employee’s personal devices?

Today, it’s common practice to perform work-related tasks on your personal smartphone, tablet, laptop and even your home computer. When an employee clears out their desk, do you really know how much confidential information is still stored on their personal devices? Or what corporate portals and cloud-based software they still have access to? 

In this article, we’ll explore why ex-employees pose such a threat to your business, and the steps you can take to ensure that a single disgruntled former employee doesn’t have the power to completely destroy your company.

Ex-employee leaks your data? You may be legally responsible

If you have any ex-employees, then these former employees could still have access to your corporate data. In a poll of IT decision makers, researchers at identity management firm OneLogin found that almost half of respondents were aware that former employees still had access to their corporate apps, and all of the data contained within those applications. 

In an ideal world, employees and employers always part on good terms, so you’ll never have to worry about a vindictive ex-employee using your data against you. Unfortunately, this isn’t always the case! Sometimes employers are forced to make redundancies, or an employee becomes bored with their job, feels unsupported in the workplace, or simply cannot get along with their co-workers. 

If an employee leaves your business under unpleasant circumstances, then they may be tempted to leverage any confidential information they still have access to. If your private data becomes public, then it can have serious implications for your business, and may sometimes even have legal ramifications. 

Back in 2014, Andrew Skelton was working as an IT auditor for UK supermarket Morrisons, when he was accused of using the company’s mailroom to buy and sell goods on eBay. In response to these accusations, Skelton stole the bank details and national insurance numbers of almost 100,000 Morrisons employees, and posted this data online. 

The former IT auditor was sentenced to eight years in prison, but 5,518 former and current employees also filed a claim against Morrisons for breaches of the Data Protection Act (DPA), misuse of private information, and a breach of confidence. 

Ultimately, the High Court decided that Morrisons was liable for the actions of their former employee, setting a worrying precedent for employers everywhere. If an ex-employee still has access to your corporate data, then you may be legally and financially liable for anything that person chooses to do with your data. 

Deprovisioning: How to protect your corporate data

A single ex-employee can inflict serious damage on your business, and data breaches caused by ex-employees are common. In their 2019 Data Breach Investigations Report, Verizon found that ex-employees contribute significantly to the number of data breaches, with respondents blaming 15% of security incidents on misuse by authorised users. 

To protect yourself against costly and reputation-damaging data breaches, it’s essential that you revoke an ex-employee’s access to corporate data and applications, by deprovisioning them. 

Deprovisioning is the part of the employee life cycle where you remove an employee’s access rights to corporate accounts, authentication servers, network services, and any other relevant applications and systems. Successful deprovisioning is one of the most effective ways to protect your business against a malicious ex-employee: when OneLogin polled IT decision makers, 20% of respondents admitted that their failure to deprovision had contributed to data breaches within their organization. 

In this section, we’ll be looking at the top reasons why so many businesses fail to deprovision successfully, and the steps you can take to avoid these pitfalls.

1. It’s impossible to track every employee’s access rights

Businesses are using more applications than ever before, and these applications aren’t always from the same provider. If your business uses a mix of third party applications from different providers, then it can be a challenge to track each employee’s access rights. 

Every time an employee leaves your company, you’ll need to identify every single application that employee has access to, and then manually revoke their access on an app-by-app basis. Smaller businesses may struggle to find the resources necessary to manage such a time-consuming offboarding process, while larger enterprises with a high employee turnover may find themselves in a constant state of offboarding. 

By replacing your mix of third party products with a single integrated platform, you can simplify the offboarding process, and greatly reduce the strain on your HR and IT departments. 

If you opt for a modern, cloud-based platform, then you may even be able to revoke access to all your corporate apps from a centralized location. 

If you’re using Office 365, then you can revoke an ex-employee’s access to the entire 365 platform, including all corporate apps, in just a few steps: 

● Log into the Office 365 admin center

● In the left-hand menu, navigate to “Users > Active users.” 

● Find the user that you want to deprovision, and then select the checkbox next to their name. 

● Choose “Reset password.” 

● Enter a new password, and then click “Reset.” 

● Click to select the user’s name, which should launch a new panel. 

● In the new panel, select the “OneDrive” tab. 

● Click “Initiate sign-out.” 

Within the hour, this employee will be automatically logged out of their account and then prompted to log back in. Since you’ve changed their password, they’ll be unable to access any Office 365 applications - and none of the data contained within those applications. 

2. Your employees are using unsanctioned apps

If you don’t provide your employees with the applications they need to be productive in the workplace, then they may be tempted to use unsanctioned apps. 

If your employees are using applications that you know nothing about, then you’ll also have no idea where you corporate data is stored. In this scenario, it becomes impossible to revoke an ex-employee’s access to your corporate data. 

Unsanctioned applications pose a huge security risk to businesses of all sizes, and spanning all industries - including the NHS. Recently, NHS doctors were discovered sharing private patient information via WhatsApp. While this was already a major security risk, it also increased the chances of an ex-employee leaking, stealing or selling confidential patient information. Even if the NHS managed to revoke an ex-employee’s access to all their corporate applications, that ex-employee would still have access to every piece of patient information they’d shared via WhatsApp. 

To prevent your employees from using unsanctioned apps, you must provide them with easy access to all the applications they need to be productive in the workplace. Only when you have control over every application that contains your corporate data, can you hope to prevent ex-employees from continuing to access your data. 

3. Your staff are busy, and deprovisioning isn’t a priority  

Deprovisioning ex-employees is one of those essential bits of admin that’s easy to overlook. 

In their poll of IT decision makers, OneLogin found that 25% of respondents took longer than a week to deprovision ex-employees, while a further 25% had no idea how long their ex-employee accounts remained active. 

While your staff may have full, busy workloads, the longer they take to deprovision ex-employees, the greater the risk of a data breach. 

To ensure decommissioning happens quickly and efficiently, you should have a clear company policy that details the steps that must be taken, from the time an employee hands in their resignation, until the moment they walk out the door. It’s also important to define who’s responsible for each step in the decommissioning process, as any uncertainty and confusion can increase the time it takes to deprovision former employees. 

Even with these policies in place, heavy workloads can still make deprovisioning a task that’s pushed to the bottom of the pile. If you suspect your staff are struggling, then you may be able to reduce their workload through automation. 

At Systems Assurance, we’re big fans of using Microsoft Flow to automate time-consuming and repetitive tasks. Want to free up a tonne of time, so your staff can focus on the work that really matters? Each of our Microsoft Flow tutorials show you how to implement a complete, automated workflow within your workplace: 

Automatically Send a Working From Home Email

Create an automatic vacation request and approval platform

Automatically Track Your business Expenses

Want to learn more about Microsoft Flow, or any of the other Office 365 applications? You can book a free, one-on-one consultation with one of our specialist engineers, who’ll be happy to discuss your businesses’ unique requirements. 



Claim Your One Month FREE Trial of Microsoft 365 E5 Today.

Speak to a member of our team today 0114 292 2911 or email sales@systemsassurance.com if you need any assistance.

Share this article on social media

If you found this article useful, please share it on social media. 

Subscribe to our blog...

We will only use your email to send you new blog posts.