Secure device offboarding begins with secure onboarding

The Great Resignation shows no sign of abating, with 20% of workers worldwide planning to quit their jobs this year. This is not only alarming from an employment and culture perspective, but also from a security perspective. Outgoing employees pose a significant data exposure risk, exacerbated by the new remote/hybrid-first landscape.

It’s no surprise, then, that 98% of business leaders have cybersecurity concerns about high employee turnover – especially insider risk. Insider risk describes any data exposure event (whether intentional or unintentional) originating from the company, including departing employees.

Business leaders’ main concerns surround personal use and visibility. Over half (55%) of employees admit to using personal devices at work at least sometimes. Therefore, 71% of business leaders are concerned about departing employees keeping sensitive data on their personal devices and/or in cloud storage.

The same proportion (71%) of business leaders also say they lack visibility into the data outgoing employees take to other companies, which can be of particular concern if employees transfer to competitors.

Tips for safely exiting external employee units

Not every organization can afford an in-house security operations team, but every organization should implement basic data protection measures to minimize the security risk of employee attrition.

It is important to note that a safe disembarkation process for units does not begin at the time of disembarkation. Actions taken before a device is even deployed to an external tenant can help reduce security risks later.

Here are three simple steps you can take to ensure a safe exit process for remote employees.

#1 Provide each worker with a corporate device (avoid BYOD models)

The easiest way to reduce personal device usage is simply to provide workers with devices.

Bring Your Own Device (BYOD) policies have the illusion of saving companies money on purchasing devices. But the average data breach is estimated to cost $4.35 million. Since over half of IT professionals believe that using a personal device increases the likelihood of a security breach, this cost savings can be financially damaging in the long run.

Deploying devices to remote workers has never been easier, thanks to the rise of home office management solutions since the start of the pandemic.

#2 Pre-configure devices before deploying

If employees set up their work devices themselves, they can use their personal Google or Apple ID to sign in to applications. This exposes your organization to data theft.

Unless you have security measures in place to prevent this, personal logins will sync data to the cloud for all devices associated with the employee’s account. So your employee can download sensitive data to their personal device using their personal login, and keep that data after they leave the organization.

If you set up (pre-configure) devices before deployment, you can not only create user accounts for the employee to prevent personal login usage, but also install security policies on the device to minimize other security breach risks.

#3 Choose a device management provider that enables restriction of USB usage, software installation and more

Mobile Device Management (MDM) or Unified Endpoint Management (UEM) systems allow you to remotely monitor, secure and manage your devices. Make sure your provider offers the following features to limit safety risks during disembarkation:

Restriction of USB usage

Organizations can easily audit emails and other electronic tools. But USBs and other portable storage devices are essentially blind spots for IT and security teams, especially when employees’ devices leave corporate offices.

Unless their use is limited, employees can quickly and easily store sensitive data—including email, contact lists, databases, etc.—on these devices and retain that information long after they leave.

Ensure that your MDM enables restriction of the use of USB devices – including flash drives, USB cameras and memory sticks – across all corporate devices.

Prevent unauthorized app use

Shadow IT – when employees use IT systems, devices, applications, etc. without the IT department’s knowledge or approval – has crept onto IT security teams’ radars with the rise of telecommuting.

Many organizations create lists of allowed applications, without putting measures in place to prevent unauthorized use of applications. However, allowing employees to download whatever applications they want increases the risk of data leakage (eg employees transferring sensitive business data via Whatsapp), malware infecting your devices, etc.

Minimize these risks by limiting download options via MDM.

Ability to remotely lock or wipe device data

If your employees ever use their devices outside of the office, it’s important that you can remotely wipe data and/or lock them. The reasons for this go beyond offboarding. A laptop is stolen every 53 seconds and a lost laptop is estimated to cost a business over $49,000.

Leaving remote employees is not as simple as asking them to clear their desks and leave their work devices behind. An employee will keep their work device until you can pick it up, which can take weeks if they are in a hard-to-reach area or communication is slow.

If you have the ability to remotely wipe your devices, you can delete company data as soon as the employee’s contract is terminated.

About the author: Sami Bouremoum is CEO of Hofy. Before founding Hofy, Sami led growth management and territory expansion at Samsara (a16Z unicorn), working on logistics and operational issues related to scaling teams across geographies. Sami also worked at Bain in management consulting and has a PhD from University College London in computer science.