Here is another classic phishing email, if you look at the email address at first glance it looks ok, then when you look next to it, the email has actually come from a generic onmicrosoft.com domain and not Tallon, they also state the invoice is attached as a pdf, however if you look at the attachment it is .html, again another sign that this email is not what it seems to be.
Digital footprints cover today’s modern workplace. Employees begin making these the moment they’re hired. They get a company email address and application logins. They may even update their LinkedIn page to connect to your company.
When an employee leaves a company, there is a process that needs to happen. This is the process of “decoupling” the employee from the company’s technology assets. This digital offboarding is vital to cybersecurity.
You don’t want a former employee to maliciously email all your customers from their work email. Sensitive files left on a former staffer’s computer could leak months later.
20% of surveyed businesses have experienced a data breach connected to a former employee.
Digital offboarding entails revoking privileges to company data, and much more. This is a critical process to go through for each former staff member to reduce risk.
Below, we’ve provided a handy checklist to help you cover all your bases.
Your Digital Offboarding Checklist
Knowledge Transfer
Vast corporate knowledge can disappear when a person leaves an organization. It’s important to capture this during a digital offboarding process.
This could be something as simple as what social media app someone used for company posts. Or it may be productivity leveraging. Such as the best way to enter the sales data into the CRM.
Make sure to do a knowledge download with an employee during the exit interview. Better yet, have all staff regularly document procedures and workflows. This makes the knowledge available if the employee is ever not there to perform those tasks.
Address Social Media Connections to the Company
Address any social media connections to the former employee. Is their personal Facebook user account an admin for your company’s Facebook page? Do they post on your corporate LinkedIn page?
Identify All Apps & Logins the Person Has Been Using for Work
Hopefully, your HR or IT department will have a list of all the apps and website logins that an employee has. But you can’t assume this. Employees often use unauthorized cloud apps to do their work. This is usually done without realizing the security consequences.
Make sure you know of any apps that the employee may have used for business activities. You will need to address these. Either change the login if you plan to continue using them. Or you may want to close them altogether after exporting company data.
Change Email Password
Changing the employee’s email password should be one of the first things you do. This keeps a former employee from getting company information. It also keeps them from emailing as a representative of the company.
Accounts are typically not closed immediately because emails need to be stored. But you should change the password to ensure the employee no longer has access.
Change Employee Passwords for Cloud Business Apps
Change all other app passwords. Remember that people often access business apps on personal devices. So, just because they can’t access their work computer any longer, doesn’t mean they can’t access their old accounts.
Changing the passwords locks them out no matter what device they are using. You can simplify the process with a single sign-on solution.
Recover Any Company Devices
Make sure to recover any company-owned devices from the employee’s home. Remote employees are often issued equipment to use.
You should do this as soon as possible to avoid loss of the equipment. Once people no longer work for a company, they may sell, give away, or trash devices
Recover Data on Employee Personal Devices
Many companies use a bring your own device (BYOD) policy. It saves them money, but this can make offboarding more difficult.
You need to ensure you’ve captured all company data on those devices. If you don’t already have a backup policy in place for this, now is a good time to create one.
Transfer Data Ownership & Close Employee Accounts
Don’t keep old employee cloud accounts open indefinitely. Choose a user account to transfer their data to and then close the account. Leaving unused employee accounts open is an invitation to a hacker. With no one monitoring the account, breaches can happen. A criminal could gain access and steal data for months unnoticed.
Revoke Access by Employee’s Devices to Your Apps and Network
Using an endpoint device management system, you can easily revoke device access. Remove the former employee’s device from any approved device list in your system.
Change Any Building Digital Passcodes
Don’t forget about physical access to your building. If you have any digital gate or door passcodes, be sure to change these so the person can no longer gain access.
Need Help Reducing Offboarding Security Risk?
When you proactively address digital offboarding, the process is easier and less risky. Contact us today for a free consultation to enhance your cybersecurity.
Article used with permission from The Technology Press.
Bring your own device (BYOD) is a concept that took hold after the invention of the smartphone. When phones got smarter, software developers began creating apps for those phones. Over time, mobile device use has overtaken desktop use at work.
According to Microsoft, mobile devices make up about 60% of the endpoints in a company network. They also handle about 80% of the workload. But they’re often neglected when it comes to strong cybersecurity measures.
This is especially true with employee-owned mobile devices. BYOD differs from corporate-owned mobile use programs. Instead of using company tools, employees are using their personal devices for work. Many businesses find this the most economical way to keep their teams productive.
Purchasing phones and wireless plans for staff is often out of reach financially. It can also be a pain for employees to carry around two different devices, personal and work.
It’s estimated that 83% of companies have some type of BYOD policy.
You can run BYOD securely if you have some best practices in place. Too often, business owners don’t even know all the devices that are connecting to business data. Or which ones may have data stored on them.
Here are some tips to overcome the security and challenges of BYOD. These should help you enjoy a win-win situation for employees and the business.
If there are no defined rules for BYOD, then you can’t expect the process to be secure. Employees may leave business data unprotected. Or they may connect to public Wi-Fi and then enter their business email password, exposing it.
If you allow employees to access business data from personal devices, you need a policy.
This policy protects the company from unnecessary risk. It can also lay out specifics that reduce potential problems. For example, detailing the compensation for employees that use personal devices for work.
As soon as a policy gets outdated, it becomes less relevant to employees. Someone may look at your BYOD policy and note that one directive is old. Because of that, they may think they should ignore the entire policy.
Make sure that you keep your BYOD policy “evergreen.” This means updating it regularly if any changes impact those policies.
Before the pandemic, 65% of employees gave their personal phone numbers to customers.
This often happens due to the need to connect with a client when away from an office phone.
Clients also may save a personal number for a staff member. For example, when the
employee calls the customer from their own device.
Customers having employees’ personal numbers is a problem for everyone. Employees may leave the company, and no longer answer those calls. The customer may not realize why.
You can avoid the issue by using a business VoIP phone system. These services have mobile apps that employees can use. VoIP mobile apps allow employees to make and receive calls through a business number.
Remote work has exasperated the security issue with BYOD. While BYOD may have meant mobile devices in the past, it now means computers too. Remote employees often will use their own PCs when working outside the office.
No matter what the type of device, you should maintain control of business data. It’s a good idea to restrict the types of data that staff can store on personal devices. You should also ensure that it’s backed up from those devices.
When employee devices are not updated or patched, they invite a data breach. Any endpoint connected to your network can enable a breach. This includes those owned by employees.
It can be tricky to ensure that a device owned by an employee is kept updated. Therefore, many businesses turn to endpoint management solutions. An endpoint device manager can push through automated updates. It also allows you to protect business data without intruding on employee privacy.
The monitoring and management capabilities of these tools improve security. This includes the ability to safelist devices. Safelisting can block devices not added to the endpoint manager.
If an employee leaves your company, you need to clean their digital trail. Is the employee still receiving work email on their phone? Do they have access to company data through persistent logins? Are any saved company passwords on their device?
These are all questions to ask when offboarding a former staff member. You should also make sure to copy and remove any company files on their personal device. Additionally, ensure that you deauthorize their device(s) from your network.
Oak MSP can help you explore solutions to secure a BYOD program. We’ll look at how your company uses personal devices at your business and recommend the best tools. Contact us today for a free consultation.
Article used with permission from The Technology Press.
Copyright © 2022 Oak MSP. All Right Reserved.
hello@oakmsp.co.uk ❘ Tel. 0115 6971 903
Suite 2800 37 Westminster Buildings, Theatre Square, Nottingham, United Kingdom, NG1 6LG
Company Number 14369745, VAT Number GB 427 1161 22
