“Leaving us so soon, Mr. Solo?” This famous quote might sound good in the movies, but in a business environment, the event of an employee leaving your company can cause some serious security issues if not treated properly. Let’s talk about why and what you can do to prevent these risky situations.
Two Types of Employee Leave
In general, there are two types of leave: planned leave and unplanned leave. Both are different and should be handled accordingly.
1. Planned Leave
In this situation, the employee leaves the organization as scheduled, usually after a designated period of time once resignation notice has been submitted.
Most organizations have contingency plans in place for planned leave. The employee is generally required to fill out a few forms, visit relevant departments, and have each department verify that there are no open issues (for instance, all loans have been returned, all user accounts are closed, etc.). Once these steps have been completed, the employee is free to leave the organization.
So, is this process error-proof? From the IT point of view, the answer is a big “NO!” From our experience, an audit will always find the same flaws:
- User accounts that were never closed, even though the employees are no longer with the company.
- User accounts being used which belonged to employees who left the organization a long time ago.
- And more horror situations from an IT perspective…
2. Unexpected/Unplanned Leave
In this situation, the employee stops working immediately. Reasons might include immediate termination due to fraud, an accident that resulted in medical implications, the employee winning the lottery, etc.
The common factor shared by all these examples is this: you have no time to prepare for the leave and need to act immediately in order to minimize risk.
Unexpected leave situations are much worse than planned leave. People vanish, but their traces are left behind and can be used to commit fraud and reveal sensitive information by unauthorized employees or hackers.
Just imagine identifying a security breach from John’s account – an employee who left your organization a month ago. Identifying who has been using John’s account a month after he left the company can be a nightmare for the IT department and anyone investigating the account.
To prepare for this, you need to put the right processes in place so you aren’t left with a mountain of security issues when an employee leaves your organization.
3 Things You Can Do to Create a Solid Employee Leave Contingency Plan
If you’re the CISO, or someone has defined that security and authorizations are under your supervision, it’s imminent that you prepare for planned leave and unplanned leave ahead of time.
These three things are crucial for ensuring a smooth employee exit:
(1) Automate the Leave Request Process – You should convert all manual processes for leave request to automatic. You’ll also need to implement a workflow process that automatically locks or eliminates the relevant user accounts on the planned leave date. This will ensure that requests are documented, approved correctly and no security holes are left open.
(2) Coordinate HR and Business Systems – You must have a process that coordinates events in the HR system with user accounts in all critical systems. A good process runs automatically, identifies the “leave” event in the HR system, and will eliminate all user accounts in the Active Directory, SAP systems, and hours reporting system on the correct leave date of leave. This ensures that no traces are left behind after a leave, and the old account cannot be taken over or misused.
(3) Automatically Eliminate Inactive Accounts – If a user is not using their Windows account and does not use their SAP account for more than 15 days, they are most likely on a leave. This usually means the employee is on vacation or sudden leave, both of which you’ll need to be aware of. Some companies choose to lock inactive user accounts automatically (which is recommended), while others issue an email to the employee’s boss asking “Does this employee still work here?” If there’s no answer or the answer is “No,” the system automatically locks the user’s accounts. Whatever preference you have regarding user lock automation, it’s critical that you have a system in place that regularly handles inactive user accounts.
What Xpandion Has to Say
From our experience, automated processes are the best solutions for planned and unplanned employee leave situations. Because we frequently receive questions about how to plan for these situations, we’ve included the relevant workflow processes in our ProfileTailor software.
Have questions about another IT problem or want to know more about employee leave contingency plans?