- If your company doesn’t quite have a handle on device security when people leave their jobs, you’re not alone. Half of companies polled by the research firm YouGov say they’ve lost technology assets — phones, laptops, field devices — when people leave, creating security risks.
- “Organizations have a lot more work to do in accurately and completely deprovisioning departing employees,” says the survey report, commissioned by Oomnitza, an enterprise management technology company. “Former workers that have access to a single system can lead to operational, data privacy, and security issues.”
- And it’s not just devices. With the growth of software-as-a-service (SaaS) tools, former employees are often able to access platforms that they no longer should, creating further risks. “The effort associated with offboarding has been compounded due to the ever-increasing, diverse and dynamic technology footprint of each user,” the report says.
There are two risk areas with departing employees: what the report calls endpoint devices — company-issued assets like phones, laptops and smart field tools — and cloud-based SaaS platforms.
Half of the 213 senior executives responding to the survey said they’ve lost at least 5% of their endpoint devices when employees leave. Just under 40% said they’ve lost fewer than 5% of their devices and the remaining said they don’t know what their losses are.
The losses can create a legal headache, especially if information on a missing device is subject to a legal hold or other data preservation requirement.
Most of the companies reporting large numbers of missing devices are small and medium-sized but almost a quarter of large companies, with more than 10,000 people, say they lose at least 10% of their devices when people leave.
Companies are wrestling just as much with unauthorized SaaS platform access. About a third of medium-sized and large companies say there’s unauthorized access after a person leaves. But as with devices, smaller companies face the biggest problem. Their unauthorized access rate is almost 40% higher than what larger companies face.
Companies in the technology, healthcare and services businesses have the most unauthorized access, suggesting either lower maturity of their deprovisioning processes or higher awareness of their exposure.
The report’s recommended solution is putting in place a process automation workflow system that can manage both ends of the employee lifecycle — the onboarding on the front end and the offboarding on the back end.
But to be effective, the solution must be implemented in a cross-functional way, with IT, HR, legal and finance getting involved. A manual system is not robust enough to catch problems systematically.
“Managing this complex process manually with the sole reliance on help desk tickets to request human actions is resource intensive and often is prone to errors,” the report says. “This can lead to incomplete offboarding, exposing an organization to security, compliance, audit and financial risks.”