A Guide to Onboarding and Offboarding Employees for Risk Prevention
You’ve certainly heard of employee onboarding and offboarding, and you’ve probably helped execute these processes more than once.
But prioritizing security during these essential steps of the employee lifecycle is no cakewalk. This is especially true after the pandemic blindsided organizations with new IT security risks.
For example, Tessian found that 57% of employees feel more distracted when working from home, increasing the likelihood of successful phishing attacks. Home offices also rarely have as many security controls as the workplace, making attacks easier to execute.
With the help of this guide, security prioritization will feel clearer than ever.
First, let’s review what these important terms mean.
Employee onboarding and offboarding refer to the processes that begin and end an employee’s time with a company.
Onboarding prepares a new employee to become a functioning member of the organization. In contrast, offboarding prepares the employee (and their employer) for the employee’s departure.
Whether you’re a leader of a built-out IT department or manning HR alone, we’ll explore how you can create a seamless and secure onboarding and offboarding process.
What is onboarding?
Onboarding refers to the ongoing process of transforming a new hire into an integrated employee. The process begins once a new hire accepts a job offer and continues until that individual is fully immersed in their role.
Benefits of effective onboarding include:
- Risk minimization: The Ponemon Institute found that 78% of organizations have fallen victim to a data breach due to negligent or malicious employees.
- Employee retention: Digitate found that employees who had a negative onboarding experience are twice as likely to seek a new job in the near future.
- Improved engagement: Axonify found that 93% of employees believe well-planned employee training programs improve their engagement at work.
- Greater return on investment (ROI): Glassdoor found that 77% of employees who had a formal onboarding process achieved their initial performance goals.
Despite the obvious benefits, many organizations fall short in their onboarding processes, resulting in security disasters.
Next, we’ll unpack exactly how you can improve the onboarding process to safeguard your organization’s assets.
How IT can help craft a secure onboarding program
The onboarding process is all about giving a new hire a positive experience and getting them up to speed.
However, it’s equally important to slow down and make sure you’re doing so safely. Follow these important steps to get your new hire set up while also covering your bases for security compliance.
1. Collect information
Before your new employee has even entered the building, the onboarding process has already begun. At least a week before their start date, collect their personal information and begin preparing everything they’ll need for their job.
This process requires careful coordination and communication between HR and IT. Be sure to:
- Confirm the employee’s information, including their name and department
- Figure out what tools they’ll need access to
- Have a solid understanding of what approvals they’ll need for certain licenses
By the time the new hire arrives, they should be ready to hit the ground running.
2. Prepare and ship hardware
Next, prepare to send them the hardware they’ll be using on a daily basis. It’s a good idea to keep a list of materials that every role needs in your onboarding standard operating procedure (SOP).
A couple of weeks before the employee begins their new role, make sure computers and other items they’ll need are in stock. If they’ll be working remotely, prepare to ship those materials early.
On the employee’s first day, check in and gauge their comfort with assembling a workstation. Confirm that they’re equipped with the virtual private network (VPN) or teleworker gateway your organization uses and provide them with technical support as needed.
IT support will both minimize room for technical error (enhancing security) and provide the employee with a positive experience.
3. Install necessary software and set up accounts
Once your new hire has their hardware operational, it’s time to install necessary software and help them activate their accounts.
Whether you’re bringing a new employee into your organization or preparing an existing employee for a role change, create a list of systems and permissions that they will gain or lose access to.
According to survey data from Ivanti, in 27% of companies, employees go without essential credentials for over a week. Not only is this a stressful experience for the employee, but it also costs the company.
4. Conduct first-day IT training
Any new hire’s first day on the job is full of new information. Prioritize IT training to make sure they know how to behave securely and responsibly from day one.
A comprehensive IT training session should cover topics such as:
- How to contact IT
- The issues that each department handles
- What good password hygiene looks like (e.g., do not keep passwords in a spreadsheet on the desktop)
- The rules for certain applications (e.g., maybe one software requires multi-factor authentication every time it’s used, while others only require it once per day)
- An overview of your organization’s security protocols
5. Conduct regular security training
Remember, onboarding is an ongoing process.
One training session isn’t enough to communicate everything an employee should know to keep themselves and the company safe. New threats develop, company protocol evolves, and humans are imperfect.
For this reason, it’s a good idea to conduct regular security training for all recent hires, and even for seasoned employees.
As you begin leveling up your own onboarding process, download our printable onboarding checklist below to stay on track.
What is offboarding and how should it be done?
Offboarding is the opposite of onboarding — it’s the formal process of disengaging an employee from the organization.
Offboarding is a retroactive process. It’s about removing access to systems and tools rather than giving it. While this process tends to receive less attention than onboarding, executing it well is imperative to any security program.
According to Ivanti, nearly half of IT professionals are only somewhat confident that their most recently offboarded employees can’t access systems and data anymore.
Essentially, many organizations lack effective offboarding procedures.
That said, how should you get involved in the offboarding process? The steps below outline how IT can play an integral part in data protection during an employee’s departure.
1. Determine risk level
Gauging an employee’s risk level is an essential first step in the offboarding process. If you have reason to believe that the employee may retaliate or tamper with company information, you should proceed with caution.
To assess employee volatility, you should ask yourself a couple of questions:
- Was the employee asked to leave or are they leaving voluntarily? It’s a good idea to have two offboarding processes in place — one for voluntary terminations and another for involuntary terminations.
- Has the employee actively complained about upper management throughout their time with the company? If so, their volatility should be ranked higher as there’s a greater likelihood of dissatisfaction and retaliation.
An effective way to gauge an employee’s volatility is to host an exit interview and ask carefully worded questions to learn about their grievances. This is also a great time to attempt to diffuse a volatile employee by empathizing and offering support.
Next, assess how privileged this employee is in your IT systems based on their role and job function. Do they have access to advanced hardware and accounts and/or special permissions? If so, they may be able to cause significant damage to the organization.
Rank employee volatility and privilege level each on a scale of 1 to 10 from least to most, and add them together to get your risk score. Risk level is subjective, but generally speaking…
- If they score between 8 and 20, you should proceed with caution.
- If they score below 8, they likely aren’t of significant risk.
Let's say the employee only ranked 2 for privilege level but 8 for volatility. With a total risk level of 10, it’s important to do your due diligence during their offboarding to ensure your organization remains secure.
2. Retrieve organizational assets
Once the employee has finished their last day with the company, it’s time to retrieve the organization’s assets.
Physical assets to retrieve include:
- External drives
- Keys and access cards
Digital assets to retrieve include:
- Software credentials
- Cloud accounts
- Licenses to any software
As long as the employee isn’t high-risk, it’s important to notify them of the date when their accounts will no longer be available. Do so at least a few days before deactivating them and wiping sensitive data from their devices. This provides the departing employee with some time to transfer any personal assets they may be storing on their work account.
3. Identify data storage locations and back up
If you operate on a primarily cloud-based system, the employee may have downloaded valuable company assets onto their personal devices. It’s important to check records on the back end for evidence of any data transfers and investigate suspicious activity.
If you’re offboarding a high-risk employee, you should also consider changing the passwords of shared company logins. If the employee wrote down this information, they could steal or damage critical business data after offboarding.
Of course, you should also back up all the information you have about the departing employee. This data will come in handy during the next stage of the offboarding process — the knowledge transfer.
Finally, remember that the employee has important data in their head. Remind them about the non-disclosure agreement (NDA) as well as any other confidentiality agreements that they signed when onboarding. While they can get in legal trouble for accidentally violating these, it’s best to avoid this trouble altogether.
4. Transfer knowledge
During this stage, it’s important to consider everyone who may be impacted by the employee’s departure.
For example, you should notify relevant vendors and clients of the employee’s departure. Provide a new point of contact as well as any information that could be helpful during the transition.
Finally, after documenting the employee’s responsibilities and activity, it’s time to transfer that knowledge to their replacement. This should make the transition between one employee’s departure and another’s entrance seamless.
The next time you offboard an employee, use the offboarding checklist below to execute this process securely.
Compliance tips when onboarding and offboarding employees
According to Navex Global, 37% of organizations lack a formal compliance education plan. These organizations run the risk of being penalized for failing to follow industry regulations. And they’re vulnerable to cyber attacks from external and internal parties.
To remain compliant throughout the entire onboarding and offboarding process, consider the following tips:
1. Document everything
Create SOPs, checklists, and other resources detailing your onboarding and offboarding processes. This will keep departments on the same page and help you demonstrate that your processes are compliant with industry standards.
Documentation also applies to individual employees — whenever a user’s access controls change, this change should be documented. Aside from it being a responsible security habit, you may be required to provide these records as evidence during an audit like SOC 2.
2. Automate wherever possible
Human error is inevitable, and there are places where machines should be put to work. Automation can make processes more foolproof while also saving company resources.
For example, setting up automatic employee data backups will save you time and stress before the offboarding process begins.
3. Continually reassess training protocols
It’s important to return to your training resources and SOPs for regular reassessment. New risks and organizational failures reveal areas that need work, but the organization must take initiative to fix what’s broken.
For example, If you find that a former employee has access to company data, don’t just say “too bad” and move on. Introduce stronger security processes to your offboarding SOP to make sure it doesn’t happen again.
Learn from your failings until you have the most secure onboarding and offboarding processes possible.
4. Sync tools
While there isn’t an all-in-one software for all of your organization’s processes, many digital tools can sync and integrate. Doing so streamlines processes and allows for clear communication among departments when onboarding and offboarding.
For more tips around how to securely onboard and offboard employees, explore our visual guide below.
Secureframe simplifies the employee onboarding and onboarding process while keeping your company secure at every step.
New employees can follow an automated onboarding workflow to complete security awareness training and review policies. Our platform also highlights which employees can access which vendors, including former employees, simplifying the offboarding process. And we offer over 100 integrations with HR and workspace tools, from ADP to Google Workspace to Slack.
For expert help in making your onboarding and offboarding processes secure, request a demo of Secureframe today.