A Guide to Onboarding and Offboarding Employees for Risk Prevention

  • June 05, 2024
Author

Anna Fitzgerald

Senior Content Marketing Manager

Reviewer

Cavan Leung

Senior Compliance Manager

Employee onboarding and offboarding refer to the processes that begin and end an employee’s time with a company. 

You’ve likely heard these terms before, and may have helped execute these processes, but ensuring security during these essential steps of the employee lifecycle is a challenge even for the most experienced employees. This is especially true as remote work introduces new IT security risks.

In a Gartner Peer Insights survey, 58% of executives said offboarding processes have changed as a result of needing to support a remote workforce and 55% of IT and security professionals described remote offboarding as more challenging.

Whether you’re a leader of a built-out IT department or manning HR alone, we’ll explore how you can create a seamless and secure onboarding and offboarding process.

What is onboarding?

Onboarding refers to the ongoing process of transforming a new hire into an integrated employee. This involves introducing new hires to the performance aspect of their new jobs, socializing them into organizational culture, and acquainting them with the organization's goals, values, rules, and procedures.

The process begins once a new hire accepts a job offer and continues until that individual is fully immersed in their role.

Benefits of effective onboarding include:

  • Risk minimization: The Ponemon Institute found that the cost and frequency of insider-led incidents are on the rise. The cost of addressing an insider security problem has increased from $11.45 million in 2020 to $15.38 million in 2022. The frequency is also up by 44% in 2022. Onboarding can help reduce insider incidents caused by error, privilege misuse, negligence, and other factors. 
  • Employee retention: Paychex found that while a staggering 50% of newly hired employees plan to quit soon, that number skyrockets to 80% for those who feel undertrained from poor onboarding. 
  • Improved productivity and engagement:  SHRM found that 62% of companies with onboarding programs have higher time-to-productivity ratios and 54% report higher employee engagement. 
  • Greater return on investment (ROI): eLearning Industry found that 77% of employees who had a formal onboarding process achieved their initial performance goals.

Despite the obvious benefits, many organizations fall short in their onboarding processes, resulting in security disasters. Creating effective onboarding can be even harder with remote employees. Let’s walk through the concept of remote onboarding below.

What is remote onboarding?

Remote onboarding is the process of integrating new employees into a company's culture, workflows, and processes entirely or primarily through virtual means as a result of circumstances such as remote work policies, distributed teams, or global operations. 

The remote onboarding process may involve activities such as:

  • virtual orientation sessions
  • online training modules
  • video conferences with team members and managers
  • electronic document signing
  • the use of digital tools for communication and collaboration. 

Remote onboarding aims to ensure that new hires feel welcomed, informed, and equipped to succeed in their roles, despite not being physically present at the company's office location or with their manager or other stakeholders.

Remote onboarding has unique security considerations. And since the transition towards remote working has accelerated in recent years, it’s more important than ever to understand how to securely onboard employees. 

In the next section, we’ll unpack exactly how you can improve the onboarding process, whether in-person or remote, to safeguard your organization’s assets.

How IT can help craft a secure onboarding program

The onboarding process is all about giving a new hire a positive experience and getting them up to speed.

However, it’s equally important to slow down and make sure you’re doing so safely. Follow these important steps to get your new hire set up while also covering your bases for security compliance.

1. Collect information securely

Before your new employee has even started their new role, the onboarding process has already begun. At least a week before their start date, collect their personal information and begin preparing everything they’ll need for their job.

This process requires careful coordination and communication between HR and IT. Be sure to:

  • Confirm the employee’s information, including their name and department
  • Figure out what tools they’ll need access to
  • Have a solid understanding of what approvals they’ll need for certain licenses

Ensure that any personal and sensitive information of new hires, such as identification documents, is securely collected, transmitted, and stored in compliance with data protection regulations.

2. Prepare and ship hardware

Next, prepare to send them the hardware they’ll be using on a daily basis. It’s a good idea to keep a list of materials that every role needs in your onboarding standard operating procedure (SOP).

A couple of weeks before the employee begins their new role, make sure computers and other items they’ll need are in stock. If they’ll be working remotely, prepare to ship those materials early.

On the employee’s first day, check in and gauge their comfort with assembling a workstation. Confirm that they’re equipped with the virtual private network (VPN) or teleworker gateway your organization uses and provide them with technical support as needed.

IT support will both minimize room for technical error (enhancing security) and provide the employee with a positive experience.

3. Install necessary software and set up accounts

Once your new hire has their hardware operational, it’s time to install necessary software and help them activate their accounts.

Whether you’re bringing a new employee into your organization or preparing an existing employee for a role change, create a list of systems and permissions that they will gain or lose access to.

According to survey data from Ivanti, in 27% of companies, employees go without essential credentials for over a week. Not only is this a stressful experience for the employee, but it also costs the company.

4. Implement access controls

Once you’ve listed the systems and permissions they’ll need access to, you can implement robust access controls and authentication mechanisms. This ensures that only authorized individuals have access to company systems, applications, and data. This involves setting up multi-factor authentication (MFA) and role-based access controls (RBAC).

When implementing access controls, consider the Principle of Least Privilege. This is particularly important during onboarding. New employees should only be given access to the resources they need to do their job. If the employee needs more privileges later on, they can make a case as to why. 

5. Manage their devices

It’s essential that new hires use secure devices with up-to-date antivirus software and encryption protocols. Remote devices in particular must be protected against malware, ransomware, and other threats. 

A mobile device management (MDM) solution can help manage devices securely, and ensure they are regularly updated with security patches and software updates.

As part of your overall MDM strategy, you should also provide guidelines for securing personal devices used for work purposes, such as enabling device encryption and using secure Wi-Fi networks.

6. Conduct first-day IT training

Any new hire’s first day on the job is full of new information. Prioritize IT training to make sure they know how to behave securely and responsibly from day one.

A comprehensive IT training session should cover topics such as:

  • How to contact IT
  • The issues that each department handles
  • What good password hygiene looks like (e.g., do not keep passwords in a spreadsheet on the desktop)
  • The rules for certain applications (e.g., maybe one software requires multi-factor authentication every time it’s used, while others only require it once per day)
  • An overview of your organization’s security protocols

7. Enforce policies

To ensure that new hires are following security best practices, you should enforce security policies and procedures for remote work, including guidelines for acceptable device usage, internet connectivity requirements, and data handling practices.

An automation platform can ensure that all new hires have accepted organizational policies, and ensure they continue to do so on a recurring basis.

8. Conduct regular security training

Remember, onboarding is an ongoing process.

One training session isn’t enough to communicate everything an employee should know to keep themselves and the company safe. New threats develop, company protocol evolves, and humans are imperfect.

For this reason, it’s a good idea to conduct regular security training for all recent hires, and even for seasoned employees.

As you begin leveling up your own onboarding process, download our printable onboarding checklist below to stay on track.

Get the IT Onboarding Checklist

Level up your employee onboarding process with this printable checklist.

What is offboarding and how should it be done?

Offboarding is the opposite of onboarding — it’s the formal process of disengaging an employee from the organization.

Offboarding is a retroactive process. It’s about removing access to systems and tools rather than giving it. While this process tends to receive less attention than onboarding, executing it well is imperative to any security program.

According to Ivanti, nearly half of IT professionals are only somewhat confident that their most recently offboarded employees can’t access systems and data anymore. More recently, DTEX found there was a 35% increase in data theft incidents caused by employees leaving companies in 2022..

These statistics indicate that many organizations lack effective offboarding procedures for when an employee leaves.

If that’s the case at your organization, follow the steps below to understand how IT can play an integral part in data protection during an employee’s departure.

1. Determine risk level

Gauging an employee’s risk level is an essential first step in the offboarding process. If you have reason to believe that the employee may retaliate or tamper with company information, you should proceed with caution.

To assess employee volatility, you should ask yourself a couple of questions:

  • Was the employee asked to leave or are they leaving voluntarily? It’s a good idea to have two offboarding processes in place — one for voluntary terminations and another for involuntary terminations.
  • Has the employee actively complained about upper management throughout their time with the company? If so, their volatility should be ranked higher as there’s a greater likelihood of dissatisfaction and retaliation.

An effective way to gauge an employee’s volatility is to host an exit interview and ask carefully worded questions to learn about their grievances. This is also a great time to attempt to diffuse a volatile employee by empathizing and offering support.

Next, assess how privileged this employee is in your IT systems based on their role and job function. Do they have access to advanced hardware and accounts and/or special permissions? If so, they may be able to cause significant damage to the organization.

Rank employee volatility and privilege level each on a scale of 1 to 10 from least to most, and add them together to get your risk score. Risk level is subjective, but generally speaking…

  • If they score between 8 and 20, you should proceed with caution.
  • If they score below 8, they likely aren’t of significant risk.

Let's say the employee only ranked 2 for privilege level but 8 for volatility. With a total risk level of 10, it’s important to do your due diligence during their offboarding to ensure your organization remains secure.

2. Retrieve organizational assets

Once the employee has finished their last day with the company, it’s time to retrieve the organization’s assets.

Physical assets to retrieve include:

  • Computers
  • Monitors
  • External drives
  • Keys and access cards

Digital assets to retrieve include:

  • Software credentials
  • VPNs
  • Emails
  • Cloud accounts
  • Licenses to any software

As long as the employee isn’t high-risk, it’s important to notify them of the date when their accounts will no longer be available. Do so at least a few days before deactivating them and wiping sensitive data from their devices. This provides the departing employee with some time to transfer any personal assets they may be storing on their work account.

3. Identify data storage locations and back up

If you operate on a primarily cloud-based system, the employee may have downloaded valuable company assets onto their personal devices. It’s important to check records on the back end for evidence of any data transfers and investigate suspicious activity.

If you’re offboarding a high-risk employee, you should also consider changing the passwords of shared company logins. If the employee wrote down this information, they could steal or damage critical business data after offboarding.

Of course, you should also back up all the information you have about the departing employee. This data will come in handy during the next stage of the offboarding process — the knowledge transfer.

Finally, remember that the employee has important data in their head. Remind them about the non-disclosure agreement (NDA) as well as any other confidentiality agreements that they signed when onboarding. While they can get in legal trouble for accidentally violating these, it’s best to avoid this trouble altogether.

4. Transfer knowledge

During this stage, it’s important to consider everyone who may be impacted by the employee’s departure.

For example, you should notify relevant vendors and clients of the employee’s departure. Provide a new point of contact as well as any information that could be helpful during the transition.

Finally, after documenting the employee’s responsibilities and activity, it’s time to transfer that knowledge to their replacement. This should make the transition between one employee’s departure and another’s entrance seamless.

The next time you offboard an employee, use the offboarding checklist below to execute this process securely.

Get the IT Offboarding Checklist

Complete the employee offboarding process securely with this printable checklist.

Compliance tips when onboarding and offboarding employees

According to Navex Global, 37% of organizations lack a formal compliance education plan. These organizations run the risk of being penalized for failing to follow industry regulations. And they’re vulnerable to cyber attacks from external and internal parties.

To remain compliant throughout the entire onboarding and offboarding process, consider the following tips:

1. Document everything

Create SOPs, checklists, and other resources detailing your onboarding and offboarding processes. This will keep departments on the same page and help you demonstrate that your processes are compliant with industry standards.

Documentation also applies to individual employees — whenever a user’s access controls change, this change should be documented. Aside from it being a responsible security habit, you may be required to provide these records as evidence during an audit like SOC 2.

2. Automate wherever possible

Human error is inevitable, and there are places where machines should be put to work. Automation can make processes more foolproof while also saving company resources.

For example, setting up automatic employee data backups will save you time and stress before the offboarding process begins.

3. Continually reassess training protocols

It’s important to return to your training resources and SOPs for regular reassessment. New risks and organizational failures reveal areas that need work, but the organization must take initiative to fix what’s broken.

For example, If you find that a former employee has access to company data, don’t just say “too bad” and move on. Introduce stronger security processes to your offboarding SOP to make sure it doesn’t happen again.

Learn from your failings until you have the most secure onboarding and offboarding processes possible.

4. Sync tools

While there isn’t an all-in-one software for all of your organization’s processes, many digital tools can sync and integrate. Doing so streamlines processes and allows for clear communication among departments when onboarding and offboarding.

For more tips around how to securely onboard and offboard employees, explore our visual guide below.

How Secureframe can help

Secureframe simplifies the employee onboarding and onboarding process while keeping your company secure at every step. 

  • Automatically import personnel: Secureframe automatically imports personnel into the platform through your HR, SSO, MDM, and other integrations. 
  • Automate onboarding: New employees can follow an automated onboarding workflow to complete security awareness training and review policies.
  • Monitor vendor access: Track the level of access each personnel has to your integrations to make sure they have the necessary access to get their job done and to make sure that only a limited number of employees have full access to your sensitive data. 
  • Simplify offboarding: Our platform highlights which employees can access which vendors, including former employees, simplifying the offboarding process. 
  • Track personnel tasks and send reminders: Get peace of mind that each personnel completes the tasks they need to, like accepting policies, completing security training, and passing a background check. With Secureframe, admins can easily track which personnel have incomplete tasks and send reminders, all from a single view.

For expert help in making your onboarding and offboarding processes secure,request a demo of Secureframe today.

For more tips around how to securely onboard and offboard employees, explore our visual guide below.

FAQs

What is the difference between onboarding and offboarding?

Onboarding prepares a new employee to become a functioning member of the organization. In contrast, offboarding prepares the employee (and their employer) for the employee’s departure.

What’s the opposite of onboarding?

The opposite of onboarding is offboarding, which involves managing the departure of an employee from your company. This process entails several steps, including establishing a handover process for any incomplete projects or documents, conducting an exit interview, and returning company property. 

Who is responsible for onboarding and offboarding?

Employee onboarding and offboarding is typically the responsibility of HR and IT to ensure each process is done securely.