Making the Employee Onboarding and Offobarding Process Easier and More Secure
Fifty years ago, it wasn’t very common for employees to change jobs. Once they were hired, they tended to stay with the same company for their entire working career. But that’s not the case anymore. Employees are changing jobs much more regularly these days. When a new employee joins, they need to be able to access the systems that let them do their jobs. And when an employee leaves, that access could become a risk if it’s not shut down. This makes onboarding and offboarding employees essential, not just from a HR and employee retention standpoint, but from a security standpoint, as well.
See Challenges of Employee Onboarding and Offboarding with Craig Davies for a complete transcript of the Easy Prey podcast episode.
Craig Davies is the Chief Information Security Officer at Gathid – Gathered Identities. He has been working in tech and cybersecurity since the 1990s, and he has experience in a lot of industries and big companies. He helped develop first-generation internet banking while working at a large medical device company. In addition, he spent time as the security director for tech giant Atlassian and the CEO of AustCyber, an Australian government initiative designed to help the country create a cybersecurity industry. Now, as well as working with Gathid, he is also involved in the start-up community providing guidance, advice, and investments into ideas he finds interesting. As someone who works on both the security side and business side of organizations, he’s had the opportunity to go all over the world and see what companies are getting right and what they aren’t.
The IT Onboarding and Offboarding Processes
When many companies think of the employee onboarding and offboarding processes, they think of the HR parts. Fill out the paperwork, get them on the payroll, give them information about benefits, those kinds of things. But with so much of our jobs done on computers and through digital systems – and even aspects like codes or badges to get into the building being controlled by computer systems – an important part of onboarding and offboarding involves IT as well. This is the part that many companies overlook.
No one talks about onboarding. They don’t worry about offboarding.
Craig Davies
Most of us have had a bad experience with IT onboarding. You accept the job offer, you do all the paperwork with HR, and then you spend the first few weeks at your new job trying to figure out what systems you need access to and who you need to talk to so you can get that access. It’s a frustrating employee experience. When people get hired, they’re excited and they want to make a good first impression. But it’s nearly impossible to be productive at first if they don’t have access to the systems they need to do their job.
Better Onboarding and Offboarding for Better Employee Experience
We’ve all heard stories. “So-and-so joined XYX Corp and they were there three weeks before anyone gave them an access card to get into the building,” and so on. It’s easy to brush those off as insignificant. But these kinds of experiences really frustrate people. Especially when your workers are remote, having a strong IT onboarding and offboarding process is essential. After all, someone working from home can’t just ask the coworker at the next desk if they have problems.
These days, a single role might require access to dozens of systems. So not having a streamlined process to get new employees that access detracts from the initial experience. On the other hand, a strong process can be a selling point. If employees have a smooth, non-frustrating experience getting set up with systems and access, they will view the company as a better place to work. Being able to say, “We have a great process and you’ll be able to access everything you need to do your job on the first day,” is a strong value proposition.
We need to create those exceptional working opportunities for people.
Craig Davies
The challenge with this is that it’s really hard to have an integrated, streamlined process if you don’t have anything dedicated to mapping and managing all the systems that every role requires. That’s where the benefit of a company like Gathid comes in. They help companies get visibility on all the different systems, even the ones that aren’t connected to anything else, and streamline the onboarding and offboarding journeys.
The Importance of Having a Process
Onboarding and offboarding should always be process-driven. But there are two challenges with processes. First, you have to design them, which requires knowing every single system employees may need to use and who is in charge of each one. Second, you have to follow them. Some companies go through the effort of designing a process, but fail to get all the stakeholders on board and don’t follow the process.
We are in the age of distributed platform architecture. One department buys a tool because it works really well for what they’re doing, but it’s never brought fully into the enterprise, so it doesn’t get integrated into the process. It ends up getting dismissed as too hard to do and not that big of a deal anyway. IT gets a new hire set up with an email account, makes sure they can log into the time clock, gets them set up in JIRA or Confluence or whatever other platforms are integrated, and then say they’re done.
It’s culturally accepted that people will spend the next few weeks figuring out that they’re supposed to have access to this or they need to have that role in this system. Craig has seen many times when new hires get the same permissions that Barry had – and Barry was there for thirty years and had permissions to do things nobody else knew could be done. This can cause a lot of problems and is why processes are important. Supported by platforms like Gathid, companies can also watch out for toxic role combinations as well as simplifying the process.
Everyone suffers from the same problem, and the only people who get on top of it … are the ones who had the crisis.
Craig Davies
The Risks and Challenges of Offboarding
Onboarding and offboarding are both challenges from an IT perspective. But where the problem with onboarding is that employees could end up frustrated and disengaged, offboarding issues could result in security risks for your company.
Onboarding is bad. Offboarding is another nightmare.
Craig Davies
When IT disables separated employees’ access, they often forget about things that aren’t connected to everything else, such as the building management system or a separate app on a personal phone. There have been many instances where companies have had a data breach or attack because a former employee still had systems access. Sometimes this happens because of a disgruntled former employee. But more often it’s because the access was left open, the employee reused those credentials, and another breach exposed them to hackers. Because your company didn’t close off access, you now have to explain how criminals compromised your data.
Offboarding is About Respect
When companies know about the risks of leaving former employees’ access intact, they can react as if the employees are a threat. But that’s the wrong approach. An employee doesn’t become evil just because they’ve left your company. A better approach is to consider offboarding, like onboarding, a way to be respectful of that person. Removing their access protects them in case something does happen.
We do this promptly in a respectful way to remove the possibility that … [the former employee] could be considered as the source of a problem.
Craig Davies
Consider a scenario where Susan left a company, and not too long after, the company suffers a breach or attack. If Susan still had systems access even though she no longer worked there, other employees could think this was somehow Susan’s fault. Even if she didn’t perpetrate the attack, she could have reused passwords and let the hacker in. But if IT terminated Susan’s access after she left on her last day, it would clearly have nothing to do with Susan.
Proper offboarding treats employees with respect by removing the possibility that they could be a problem after they leave. And it’s something many people miss in their procedures. They have the HR part and the farewell card and everything. But if you leave systems access in place, there’s a chance that something will happen and people will blame it on the former employee because they’re still in the system.
How to Prioritize Offboarding
Who is ultimately responsible for the full scope onboarding and offboarding processes? That argument will go on to the end of time. Chances are good that different people and areas are going to be responsible for different parts of the process. It’s important to know who’s accountable for what and make sure everyone knows they’re on the same page. And there needs to be one person or department who’s in charge of building those relationships and coordinating it all.
Let’s pretend in this example that IT is in charge of coordinating onboarding and offboarding. They would need to have a comprehensive list of every single system an employee could possibly be in. That includes everything from the company’s Single Sign-On platform to that one piece of software that one department uses only for that one specific thing. Tools like Gathid can help figure out that list and link everything together. But if they’re not using a tool, they need a really big list.
Once IT has the list, they prioritize. And how they prioritize will depend on the company and what matters most to it. Many people think the most important thing is to get them out of the network. But if they’re a remote employee with a company email on their phone, maybe that’s the bigger risk. Or maybe locking them out of the production systems is most important.
With that prioritized list, the next challenge is figuring out who administers all those systems. That might be different departments, and they might have different views of the risks involved. They bring their opinions back to IT and work on re-prioritizing until there’s a satisfactory process.
Visibility is Key to Secure Onboarding and Offboarding
For really secure onboarding and offboarding processes, the IT or cybersecurity team really needs to build relationships with other stakeholders in other departments. This will reduce the likelihood that a department will start using a new system and not tell you about it. But it will also help you figure out who administrators are and who you need to work with to improve the security of the onboarding and offboarding processes. It’s not a problem if a department administers their own system, as long as they will work with you on the processes.
Craig doesn’t like using regulatory frameworks as sticks. Instead of doing it a particular way because a lawyer said to, it’s a better attitude to do it this way because it’s the right way to do it. And having these frameworks and processes can help provide better visibility. Visibility is what lets you look across the entire organization and make better decisions. It also lets you know exactly where former employees need to be locked out to protect them and the company.
So many organizations cannot see across their organization.
Craig Davies
Visibility really is the key issue. So many companies can’t see what’s being used, what’s connected to what, or which supervisor can see which things. That’s a huge challenge. That’s also what’s motivated the Gathid platform – helping companies gain visibility across their whole organization.
Challenges of Remote and Hybrid Onboarding and Offboarding
Remote and hybrid working bring new challenges to the onboarding and offboarding processes, especially offboarding. In the past, when someone left a company, they’d take their things from their desk and once they left the building, that was it. You didn’t need to have IT offboarding processes because that wasn’t an issue. If they had a work phone or laptop, you’d take that, and there’s nothing else they could do.
Remote and hybrid work has changed that. There are employees at Gathid that Craig has only seen through video calls. And there’s nothing wrong with that. But it does mean you have to think through security differently. That’s where visibility becomes important. You can’t get rid of risk, but you can reduce it. A remote worker may have a laptop, but if you know which systems are critical, you can cut those off right away. At the worst, it would cost you a laptop.
If you don’t have that visibility, a remote or hybrid model might not be effective from a cybersecurity standpoint. It might not even be effective from a business value standpoint if you’re spending a lot of money on onboarding and offboarding. The prioritization will also be different, too. A person who comes into the office has a much different risk profile than a fully remote worker. If you have the ability to accurately assess what your systems and employee access look like, you can more easily identify pain points and problems.
All Businesses Should Be Concerned
Craig would love to do a survey of CISOs and IT people and ask them to rank the security or IT processes in their company that are kind of terrible and terrify them. If onboarding and offboarding aren’t number one or two on the list, that’s a problem. We generally seem to be figuring out how to do most other security tasks pretty well. But most companies have no idea how to smoothly and successfully onboard a new employee or help them move on when their time at the company is done.
Everything else we seem to be figuring out how to do reasonably well, but … we still have no idea how to bring someone in and how to help them move on.
Craig Davies
People are more complicated than systems. Bringing a person on or letting them go has more involved than just the technical aspects. But the technical aspects are important, too. We need to be able to get them up and running smoothly so new employees can get right to doing their best work. And when people are moving on for whatever circumstances, we need to be able to honor their work and respect their exit journey.
Learn more about Gathid at gathid.com. They have some great case studies from clients and are more than happy to give you a demo of what they do. You can also find Craig Davies on Twitter or LinkedIn.
Related Articles
- All
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
About Those Online Plagiarism Tools…Do They Actually Work?
If you have ever been a student or a teacher, you know how big of a deal…
[Read More]Using ChatGPT at Work: What to Do and What Not to Do
When ChatGPT exploded onto the scene in 2022, you could immediately see the ripples that went through…
[Read More]Why Romance Scam Prevention Matters: Key Statistics and Insights
October 3rd is World Romance Scam Prevention Day. Though the officially recognized day is new, the need…
[Read More]The Emotional Impact of Being Scammed is Massive for Victims
Pig butchering and other scams that result in financial loss are often dismissed as “just” a financial…
[Read More]The Lies and Deceit Behind a Pig-Butchering Scam
The criminals who perpetrate pig butchering scams are professionals in the truest sense. They have their goals...
[Read More]How to Enable Stolen Device Protection on Your iPhone
For many of us, our smartphones become an extra appendage — we need these devices by our…
[Read More]