Employees coming and going: play it safe

When you hire new employees, you give them access to digital systems and workplaces. You want your company information to stay secure while they work for you, but also when they stop working at your company. Find out how tools like an authorisation matrix can ensure a safe start, and a safe departure, for your employees.

An employee decides to leave your company. You arrange a farewell bouquet, and say goodbye to the former colleague. But that is not the end of your relationship. Think about your company’s digital security when you change employees.

A safe start for new employees

“Think about how a new employee starts working at your company. And include information security in their training programme”, recommends Isra Acherrat, trainer at NFIR IT Forensics & Incident Response. She has four tips for employers:

1. Create an authorisation matrix

An authorisation matrix ) is basically a list of the rights and authorisations you give to employees. Should the receptionist be able to see customer details ? Should sales representatives be able to access employee data? And who should have a key to the warehouse? In other words: tie any access rights, both online and offline, to your employee’s job description. An authorisation matrix shows you what your employees are using for their work. That includes keys, access passes, login codes, applications, bank cards, telephones, laptops or tablets.

2. Use a password manager

“Prevent new employees from typing in the same passwords for everything. Arrange a password manager for them instead. The password manager will automatically create and store new and unique passwords for them. That way, employees only have to remember a single strong password to access the main password manager.” Another benefit of a password manager is that you can set who can access which information for each department. Acherrat explains how it works: “I can only access the customer data I need for my work. I cannot see information that is not important for me. That is safe for the customer, and safe for me.”

3. Make information security part of the training programme

Create a training programme with all the information that new employees need. That will help them do their new tasks properly. When someone starts working at your company, you tell them where the coffee machine is, and which systems you use. “But information security (in Dutch) is just as important”, says Acherrat. “Make the new colleague aware of how important it is. Tell them who to contact for a security incident or a suspicious situation. Acting fast is important in the event of an incident. It helps limit the consequences. And tell  employees that if they cause an incident by accident, they can report it without feeling guilty or embarrassed. After all, anyone can fall into a cybercriminal’s trap.”

Acherrat emphasises how important it is to talk about the issue on a regular basis. “Organisations often see digital security at work as a project. Something to check off after you talk about it once. But awareness of cybersecurity should become a habit. A process that is always running. Digital security improves when everyone in the company works on it all the time.”

Put cybersecurity on the regular agenda.

4. Improve security with a tidy workplace

Paying attention at the office is another way to improve your company’s security. Let your staff know that loose papers or open computer screens may lead to a cyberincident. In the training programme, make agreements about how to deal with company data to limit the risks.

  • Clear everything from your desk at the end of the day. Store all papers and customer files in a locked cabinet. A printed invoice has information that someone could misuse.
  • Lock your computer when you take a coffee break. It just takes a second. But that is all the time someone needs to steal the information on your screen using their smartphone camera.
  • Erase the whiteboard after a meeting. This prevents colleagues, customers, mechanics, or cleaners who might be passing by from accessing information that is meant only for you and your immediate colleagues.

What to do when an employee leaves your company

When an employee leaves your company, you do not want them to be able to access company information, like personal data or customer details. Here are three tips for a safe farewell.

  • Look at the authorisation matrix. You know which authorisations the employee had. Turn off those authorisations, collect the keys and access passes, block the accounts and change passwords to the systems that the employee used.
  • If you use a password manager, then you can cancel online access with the press of a button.
  • Cancel their access to the VPN. Having employees use business applications via a VPN connection makes your company more secure. A VPN is software that encrypts data before sending them via the internet. So when an employee leaves, cancel their access to the VPN so they can no longer start online applications. That way, the employee will no longer have access to the company network.

In practice

Entrepreneur Réni Peeters owns a specialist contact lens and optometrist shop. He works with confidential information. When employees leave the company, he does not want them to be able to access customer details. So he always checks their authorisation rights. This video shows what you should pay attention to when an employee leaves the company.