27th October 2022

Whether you’re welcoming new talent onto your roster or bidding farewell to a colleague, there’s always a lot to think about, what with HR, payroll, contracts, and other practicalities.

But in all of the hubbub of team members on the move, don’t forget about IT! Tech is such an inseparable part of our daily working lives that documented, simple, set-up and wind-down processes are absolutely invaluable.

So, what do practical and secure onboarding and offboarding processes look like? We asked our tech boffins, and they didn’t disappoint. Though any such process needs to be tailored to your specific needs, tech functions, and risk factors, we think they’ve covered a lot of ground here. But the main takeaway is that checklists are your friend!


Disclaimer: Anything relating to welcoming or bidding farewell to team members needs to be handled legally and strictly in line with workers’ rights and contracts. This list only covers some of the more general IT security concerns associated with both situations, so if in doubt, ask HR!


Secure Onboarding

When you’re welcoming a new team member, you want them to be as productive and secure as possible, as soon as possible. So, creating a smooth onboarding process is crucial.

Why Proper IT Onboarding Processes Are Important

  • Documented IT onboarding processes mean that everyone can make techy preparations for the new hire ahead of time, so when the individual starts work, they can hit the ground running with all of the IT provisions they need.
  • When devices, logins, and access are provisioned fairly and documented correctly out of the gate, the IT department can ensure that nobody has more access or hardware than they really need.
  • When you standardise your IT and cybersecurity rollout processes for each individual, you can be more certain that everyone has access to the same level of IT security provisions in order to keep them and the company safe.
  • So management and the IT department know exactly what hardware and software each individual has access to in cases of disciplinary action, internal investigations, and secure offboarding.
  • In cases of mobile or remote devices, a documented requisition and handout process can be instrumental in establishing responsibility and culpability in cases of loss, theft, or damage. Your insurers will likely thank you!
  • Your staff are the custodians of your company data – some of it quite sensitive – so it makes sense to record who is able to access what information and how.

Secure IT Onboarding Checklist

Thankfully, as far as IT is concerned, welcoming a new team member on board is generally the more straightforward of the two processes, but it can be just as laborious!


Before The New Hire Arrives

Establish What’s Needed

When a new hire is confirmed, coordinate with HR and their line manager-to-be to establish the following. Open a file for them containing:

  • The person’s full name
  • Their job title, department, and level of seniority
  • Their starting date
  • Their proposed work email address (and other contact information such as telephone extension if applicable)
  • What access to digital tools, data, and physical premises will they need and why?

Set Up The Functional Essentials

Get the person’s functional tools ready to go. Set up:

  • Their email address
  • Their telephony provisions
  • Their access to productivity software, such as Google Workspaces or Office 365
  • Their access to any other software they may need in their role, such as accounting software or CRM
  • Their access to data and other digital resources

Remember the principle of least privilege (POLP) when handing out permissions. If your network uses Active Directory (or something similar), this is usually fairly simple. Record what levels of access they’ve been given to what programs in their file – and update their file during their tenure if any access or tools change.

Obtain & Set Up Their Device(s)

What devices does the new team member’s hiring manager think they will need? Sense-check this from an IT and security perspective and prepare to have the devices set up and at the appropriate site ahead of the new hire’s start date.

Don’t release any mobile or remote hardware into the individual’s care before any employment contracts, IT fair use policies, hardware agreements, and privacy agreements are signed. Note any requisitioned hardware in their file and your own IT asset records.

Set Up The Security Essentials

Establish what security measures that any newly requisitioned hardware will need, including endpoint protection/antivirus, Multi-Factor Authentication, Managed Detection and Response tools, DNS Filtering, and password managers. This would also be a good opportunity to set up any phishing training tools like PhishAware. Make a note of all tools used in their file.

Prepare for Cybersecurity Training

It’s probably inconvenient to have a full-on cybersecurity training session on the person’s first day – depending on the sensitivity of their work, of course! Make sure that each new hire undergoes some training around cybersecurity fundamentals before they start work.

Phishing and social engineering are particularly ever-present threats, so make sure your new team member is given some guidance around spotting and reporting suspicious emails; around not downloading suspicious files, and around not enabling macros on unsolicited documents.


After The New Hire Arrives

Sign All Agreements

Before they sit down and start work, it’s imperative that the new hire signs all contracts and agreements relating to their job. From an IT perspective, they will likely need to sign your IT fair use policy, privacy agreements, and hardware agreements .

Provide Cybersecurity Training

Provide the new hire with all of the day-1 cybersecurity training identified above, and earmark their file as a priority individual to include next time you embark on company- or team-wide security training.

Set Up Access Credentials

If you use RFID key cards or biometrics to access any parts of your premises or to log in to devices, set that up as part of the individual’s onboarding process.

Let Them Set Secure Passwords

Once it’s time for them to sit down and start work, have the individual access each of the IT tools and resources they have been given access to and get them to set their own secure and unique passwords. Make sure they know how to securely use any security tools like Multi-Factor Authentication or password managers too.


Secure Offboarding

There are a lot of potential security worries when parting company with an individual. So, the only thing more important than a secure onboarding process is creating a secure offboarding process.

Why Proper IT Offboarding Processes Are Important

  • When parting company with someone who has been party to a lot of sensitive or high-risk information, there is always a worry that they will take sensitive data with them, leak trade secrets, or otherwise sabotage operations as they leave (or do so remotely after parting company). Watertight offboarding processes help minimise these risks.
  • If you hand out company-owned mobile hardware, good onboarding processes will help you document who has what and where. Good offboarding processes will help you claim all of that back from them when they leave.
  • When you wind down all outgoing user logins at the same time you part company, you massively reduce the chances of a cybercriminal somehow gaining access to a dormant account and potentially accessing private data and introducing threats into your systems.
  • In a similar vein, when you close all dormant user logins and credentials asap, you reduce your chances of overpaying for unused software licences or vendor services charged per user.
  • Closing off access to sensitive data in a strict, timely manner reduces the chances that a competitor (potentially your leaver’s new employer) may access your data – or worse, gain ongoing access to your systems.
  • If your leaver liaised a lot with external parties throughout the supply chain, having a documented comms succession plan in place means that the baton can easily pass to their colleagues and those external parties will have a seamless handover experience.

Secure IT Offboarding Checklist

Parting company is never easy. But when it comes to IT security it’s important to get things right. We’ve separated this list into three sections: a “preparation” stage which represents when someone has just handed in their notice or when it is decided that someone needs to leave; a “departure” stage representing them actually leaving; and a “post-departure” section once you have bid your final farewells.


Preparation

Establish The Individual’s Risk and Volatility

Establish the situation surrounding the individual’s departure. Are they working a notice period or will they be asked to leave immediately? What risk level would you put them at given their access to data and systems? And how volatile are they – i.e., how likely is it that they would do something rash to sabotage you… or to benefit a future, competing employer?

Some of the steps below may differ depending on how you’re parting ways, and the individual’s level of risk and volatility. But if they are highly risky or volatile – and especially if their departure is likely to come as a surprise – you may want to revoke all access before they get called in for “the talk” and chaperone them off the premises afterwards.

Check The Leaver’s IT Usage History

Even if the soon-to-be-former employee’s departure doesn’t relate to IT misuse, it’s always worth reviewing any available access logs in the run up to their termination to make sure they have been using tech appropriately. If they accessed something overly sensitive without good reason, this may be worth investigating further with HR.

If they are a particularly volatile party and/or they suspect that a parting of ways may be coming, they may have been trying to sabotage or steal sensitive data. So, treat anything out of the ordinary as potentially suspicious.

Establish What They Have Access To

We talked a lot about keeping things on file during their onboarding process – and now’s the time to revisit that file. Establish what the leaving individual has access to through your file and through tools like Active Directory.

This may include access to email, productivity tools, telephony/VoIP, data repositories, software, and premises – and don’t forget about shared logins that may be used team-wide. Also establish any remote access measures used by the individual, including remote connections, VPN connections, cloud access, etc.

When and how you revoke access to these resources will differ depending on the nature of their departure, but it will all need to be revoked or disabled before they leave. Shared passwords will need to be changed and the new credentials shared with remaining staff.

Carefully Think About Email

Email is a real workhorse of modern professional life. Just think of all of the sensitive information that sits in your inbox or sent box on any given day! So have a plan for what happens to the person’s email upon their departure. Depending on the person’s role and seniority, it may make sense for incoming emails to be met with an auto-response, or it may be more appropriate for their emails to be auto-forwarded to a colleague in a similar role.


At Departure

Revoke Their Access and Accounts

Revoke their access to all of the accounts, tools, and tech established above.

Ensure That All Hardware and Information is Handed Over

This is probably one of the more important points on this list. If the outgoing party has any company devices or documents in their possession, those will need to be handed over before you part ways. They will also need to pass on any important knowledge or documents to their managers and/or peers. Also make sure that any files or data stored on personal devices is returned to the company and securely deleted from non-company devices. Any returned devices will need to be logged in your IT asset records.

Similarly, establish whether there is any shadow IT on your network that is owned and operated by the leaver; this can be as simple as a free SaaS tool that they used, or it can be as potentially dangerous as a WiFi booster to provide someone with better WiFi coverage. Ensure that any such hardware is cleared of any company data or access credentials before returning it to its owner. Take control of any leaver-operated software tools or online repositories that contain company data.

Notify Your IT Providers

Make contact with any external IT service providers and inform them of the person’s imminent departure. This is especially crucial if you suspect that the individual might try to refresh any revoked passwords over the phone and gain unwarranted access.

Do Some Final Checks Before You Part Ways

Before the person leaves, ensure that everything in their IT “file” set up above has been returned, closed down, shut off, and access credentials changed.


Post-Departure

  • If not done already, contact both internal and external individuals who worked with the departing individual and inform them of the departure. This communique can include instructions on who they will be dealing with in future or how any of their interactions with the company will change as a result.
  • Ensure that the person’s account is fully removed from any pay-per-user software licenses so you aren’t paying for any user accounts that aren’t being used.
  • Communicate with the person’s team to hand over any additional IT access or responsibilities that fall to them in the individual’s absence.

Need help putting more secure, well-documented IT practices in place? Or maybe you’d like help tailoring these lists to your organisation’s specific requirements? Speak to our IT consultants!