Employee offboarding is in the spotlight following unprecedented workforce disruption, layoffs, and resignations. IT and HR leaders throughout industries are swamped with transitioning stay-at-home workers and managers. However, the amount of SaaS these workers use – some sanctioned and some not – adds complexity to these unfortunate tasks.
Secure offboarding is critical. But companies can’t deprovision what they can’t see. To help with this process, offboarding processes must be elevated in the age of SaaS.
Employee offboarding risks
Information Week shares a sobering stat: 50% of ex-employees can still access corporate cloud applications. Their findings, based on a study of five hundred IT decision-makers, indicate that few firms have adequate provisioning, deprovisioning, termination, and login management processes in place.
Notably, 20% of respondents report that “their failure to deprovision employees from corporate applications has contributed to a data breach at their organization.”
It is now common for companies to deprovision 20-30 licenses per employee, versus the usual four to five in years past, according to the report. But the reality might be worse.
Cleanshelf (now LeanIX)’s annual State of Business SaaS Spend report found that in 2019, the typical employee at a U.S. enterprise with 800 or more employees used 44 cloud applications. The companies themselves use licenses from 140 vendors on average. Because so few companies know what they actually own, up to $4 million (or nearly 30% of spend) is wasted yearly.
The implications of such ambivalence is startling. Companies clearly underestimate the SaaS risks and the amount of SaaS used by their employees. If IT doesn’t know what applications employees are using, how can they turn access off when staff turns over? They can’t.
A recent study from Gurucul found one in 10 would take as much corporate information with them as possible when they left, while another 15% said they would delete files or change passwords.
Terminated employee access has financial, legal, and competitive implications.
- An ex-salesperson could access forecasts, contracts, and prospect lists.
- Former operational or financial staff may have access to non-public revenue and performance data.
- Engineers may maintain unauthorized access to code.
More SaaS + less visibility = offboarding mess
The most complete offboarding workflow is still fragile when IT can’t see what cloud apps employees use. The process of identifying and deprovisioning should take seconds; not hours or days of accessing logs, verifying credit card records, and cross-referencing HR and vendor files to establish who has what. In many cases, these don’t reconcile anyway.
It’s now common – especially given today’s stay-at-home phenomena – for workers to buy SaaS on their personal cards and seek reimbursement. And beyond the data and compliance benefits, once companies have a full view of their licenses, they can thoughtfully re-deploy unused licenses elsewhere.
With LeanIX SaaS Management Platform, companies can have a full view of their licenses so they can thoughtfully re-deploy unused licenses elsewhere.
Employee offboarding checklist
Establish a simple, repeatable, employee offboarding process with a focus on communication and security for the reasons mentioned above.
The offboarding process is divided into two sections. Steps from 1 and up to 4 are made to check off the general formalities, while step 5 is made for the IT department that will prevent potential security issues.
1. Communicate employee’s exit
Everyone in the team, their managers, and members should be notified of the employee's exit. This will give them the opportunity to thank the employee for their work. If the employee was in a customer-facing position, let them know of the employee’s departure and who will take over the account.
2. Resolve paperwork
Besides filing the employee’s termination or resignation letter, also file non-disclosure or non-compete agreements.
3. Finish payroll process
Communicate with the payroll department to complete their final pay. Settle other requirements for Benefits, 401K, PTO Balance, Insurance, and Tax related forms.
4. Exit interview
Conducting an open interview to receive honest feedback on what works and what not will eventually help you improve your work environment, leadership, and organization in general.
As you finish the formalities above it’s time to check-off the IT offboarding points to preserve data security in your enterprise.
5. IT checklist for employee offboarding
Access and inventory control is a process, where the entire lifecycle is important for completeness.
Below we compiled nine basic steps from the IT perspective where some will depend on the employee and what kind of data they were able to access.
We recommend full deprovisioning (Step 3) that starts with verifying every app an employee uses. Make sure to review license usage once accounts are deprovisioned (Step 9). This ensures consistent cost management.
- Reclaim all assigned equipment: Make someone responsible. If you’re not responsible for recovering the assets then make someone else do it. This way you can follow up and keep track of the assets as they return. Revoke all devices that are associated with company apps and not just a company laptop.
- Revoke access: Revoke access to Identity Provider, Single-Sign-On and Production systems, and all internal user accounts to which the employee had access.
- Unassign SaaS or software licenses (cross-reference in SaaS management tool): Verify every app an employee used and deprovision accordingly. Pay attention to shadow IT as it is most often a missed step especially when offboarding employees. If you don’t control your data, you may not be aware of what access to remove.
- Perform a backup of user’s data: Perform a complete backup of the user’s data. If you already have it saved and archived as part of your routine manage it according to your internal compliance policy.
- Take forensic images of computing devices: High-risk organizations should take forensic images of computing devices, PCs, Phone, Email, etc. for any employee that is terminated for cause or has access to IP including customer lists. Having this data may prove essential if the employee disputes their termination.
- Disable access to email account: Create an out-of-office message for email or forward employee’s emails to the superior or person responsible. Remove the email address from generic distribution lists and manage them according to your internal policy.
- Change passwords: If there are any passwords that were shared between employees in the organization or department itself, require staff to change those to remove the potential risk of any unauthorized access.
- Update Credit Card payments: If an employee leaving had a company credit card, make sure to uncover which SaaS services were paid with it so you don’t get any disturbances in services that would potentially mean loss of data or employee productivity.
- Optimize licensing plans: As you offboard employees, the number of users that were initially planned and signed to use SaaS in contracts is now changed. Make sure to optimize your licensing plans when possible (negotiate, if needed).
Uncover the SaaS service utilization and optimize licensing plans accordingly.
Bonus insights for effective employee offboarding
LeanIX has helped dozens of companies manage the software side of offboarding. Once you complete the initial IT termination checklist here are few additional insights to improve the experience:
- Be notified in advance: IT departments should be notified in advance, when applicable, of an employee termination. This allows preparation for backup, restoration and preservation of any corporate data the employee was responsible for managing.
- Don’t close only tools with active accounts: Don’t only close out SaaS tools for which the employee has an active account. Review the tools they’ve used in the past. Long-running sessions or API access tokens may still be in place.
- Pay attention to remote access software: Double check that no remote access software remains on company workstations. These ‘backdoors’ – through logging into a VPN or using a remote desktop – are common given remote IT support trends.
- Reassess SaaS contracts: Reassess licensing models for popular cloud applications after staff departures. This is most relevant in cases where layoffs hit a department that uses speciality software. For example, if the marketing team loses staff, move off an enterprise license agreement (ELA) and negotiate SaaS contract to pay per license for applications like Marketo, Intercom, Buffer, or Mailchimp.
- Double check vulnerable areas: Focus on vulnerable areas. Unwinding cloud office suite access (for G-Suite and Office 365) seems simple but may trap even vigilant admins. Double-check: are IMAP/POP sync settings disabled? As well, verify that no automatic email forwarded remains. Also, delete or reassign email aliases. For example, your customer support employee may have received an email at their “firstname.lastname@example.org” domain, while additionally receiving email from “email@example.com” too.
- Review integration logs: Review integration logs of business essential tools. A tool like Slack or Zapier may have integrations dependent on a user’s account staying active. First, understand what applications a former employee used, then assign changes to reduce the likelihood of disruption.
The stakes for effective offboarding are high. Alvaro Hoyos, Program Manager for Engineering Compliance at Google sums up the problem. “There’s this proliferation of applications. Because of that, the risk has increased exponentially.”
Last but not least, keep communication with the former employee and try to engage them in the alumni network.
Yes, offboarding must be comprehensive and timely. But if enterprises don’t know what their employees are using, offboarding isn’t really offboarding at all.