Pre-pandemic, employee exit procedures were important. In the middle of the pandemic and remote work, those procedures are imperative.
Any time an employee leaves their place of work, the employer will conduct an exit interview. Unless the employee is let go, in which case there’s not usually a need. The now former employee moves on to their next opportunity, but the business isn’t done yet. There are still procedures that have to take place for legal and compliance reasons, not to mention the security problems that can happen. Especially now, in the midst of the coronavirus pandemic where every business employs remote workers, it is vital to follow employee exit procedures and remove access when someone leaves.
First, let’s forget the pandemic. Let’s pretend that life is a pre-pandemic “normal” for businesses. When an employee is hired, you enter their information into your human resources system. You add their name, address, date of birth, SSN, email, salary information and position. As the employee continues their tenure, any disciplinary action or commendations earned will be documented there. The employee’s position dictates what internal systems they have access to and how deep that access goes.
The longer an employee is with a company, the more likely it is that their position changes and their access needs change. If that employee ever leaves the company, regardless of the terms, any and all credentials they created must be stripped of access. No system can be left untouched because every system is an access point. If that access is not removed, it doesn’t even have to be the ex-employee who gets into your system. Their information and passwords could be recycled at their new place of business or on social media where they were the victim of a hack.
Now, think about all of that taking place in the pandemic era. Work from home, the shift to remote work, increased the strain of IT departments in every business. Infrastructures, systems, machines are all strained from the sheer number of people logging in from home. Think about that former employee and the type of access they have to your business, which now extends to their remote location. What happens if you don’t do anything with that access? What happens if you just let them go and forget they were ever hired?
A prime example of what can happen is showcased by the Post Rock Water District in Kansas. Earlier this month, Wyatt A. Travnichek, a former employee of the water facility, was indicted. He allegedly logged in to the public water system, remotely from his home, with the intention of shutting down safety processes that make the water safe to drink. The incident is said to have happened in March 2019, at which time Travnichek was an ex-employee. Part of his job duties while employed included logging in remotely to monitor the plant after hours.
“On or about March 27, 2019, in the District of Kansas, the defendant, Wyatt Travnichek, knowingly tampered with a public drinking water system, namely the Ellsworth County Rural Water District No. 1,” prosecutors alleged. “To wit: he logged in remotely to Post Rock Rural Water District’s computer system and performed activities that shut down processes at the facility which affect the facility’s cleaning and disinfecting procedures with the intention of harming the Ellsworth County Rural Water District No. 1.”
Ask yourself if your business could withstand a situation such as this. In this case, people’s lives were literally at stake. That may or may not be the situation for your business, but think about the impact someone like Travnichek could have with your business information. What damage could be done? Could a former employee with specific access steal proprietary information? Do you want to leave an open access point for hackers to exploit simply because you didn’t reduce your surface area?
The Kansas man faces a maximum of 25 years in prison and $500,000 in fines. A water plant isn’t likely to go out of business anytime soon, but the same cannot be said for most small to medium sized businesses. You must protect your assets. Employee exit procedures are an area of security that is often missed simply due to a lack of knowledge or simple oversight. Don’t make this mistake. If you have former employees whose access has not been removed, it’s time to run through that list and make sure those credentials are blocked or removed and that they haven’t been used. If they have, immediately treat it as an incident.
More and more businesses are contemplating keeping at least a hybrid workforce post-pandemic. Even when using a VPN, it’s not 100% preventive. It doesn’t matter where your employees are working, if they leave or are let go, their information must be reviewed and adjusted appropriately.