Secure device offboarding begins with secure onboarding

The Great Resignation shows no signs of slowing, with 20% of workers worldwide planning to quit their jobs this year. This is not only alarming from a hiring and culture perspective but also from security. Outgoing employees present a significant data exposure risk, intensified by the new remote/hybrid-first landscape.

It is no surprise, therefore, that 98% of business leaders have cybersecurity concerns about high employee turnover - in particular, Insider Risk. Insider Risk describes any data exposure event (whether intentional or unintentional) that originates from within the company, including departing employees.

Business leaders’ main concerns surround personal device use and visibility. Over half (55%) of employees admit to using personal devices for work at least some of the time. Hence 71% of business leaders are concerned about outgoing employees retaining sensitive data on their personal devices and/or in cloud storage.

The same proportion (71%) of business leaders also say they lack visibility over the data outgoing employees take to other companies, which can be particularly worrying if employees are transferring to competitors.

Tips for securely offboarding remote employee devices 

Not every organisation can afford an in-house security operations team, but every organisation should implement basic data protection measures to minimise security risks during employee offboarding.

It’s important to note that a secure device offboarding process doesn't begin at the time of offboarding. Measures taken before a device is even deployed to a remote hire can help to mitigate security risks later down the line.

Here are threesimple steps you can take to ensure a secure device offboarding process for remote employees.

#1 Supply every worker with a company device (avoid BYOD models)

The easiest way to mitigate personal device use is simply to supply workers with devices.

Bring Your Own Device (BYOD) policies have the illusion of saving businesses money on device procurement. But the average data breach is estimated to cost US$4.35m. As over half of IT professionals believe that personal device use increases the likelihood of a security breach, this cost saving could be financially detrimental in the long run.

Deploying devices to remote workers has never been easier, thanks to the rise in home office management solutions since the start of the pandemic.

#2 Pre-configure devices before deploying

If employees set up their work devices themselves, they may use their personal Google or Apple ID to log in to applications. This exposes your organisation to data theft.

Unless you have security measures in place to prevent this, personal logins will synchronise data to the cloud for all devices linked to that employee’s account. So your employee could download sensitive data onto their personal device using their personal login, and retain that data after departing your organisation.

If you set up (pre-configure) devices before deployment, you can not only create user accounts for your employee to prevent personal login use, but also install security policies onto the device to minimise other security breach risks.

#3 Choose a device management provider that enables restriction of USB use, software installation and more

Mobile Device Management (MDM) or Unified Endpoint Management (UEM) systems allow you to remotely monitor, secure and manage your devices. Ensure your provider offers the following capabilities to limit security risks during offboarding:

Restriction of USB use

Organisations can easily audit emails and other online tools. But USBs and other portable storage devices are essentially blindspots for IT and security teams, especially when employee devices leave company offices.

Unless their use is restricted, employees can quickly and easily store sensitive data - including emails, contact lists, databases etc. - on these devices, and retain this information long after they leave. 

Ensure your MDM facilitates restriction of USB device use - including flash drives, USB cameras, and thumb drives - across all corporate devices.

Prevent unauthorised app use

Shadow IT - when employees use IT systems, devices, applications etc. without IT department knowledge or approval - has crept onto IT security teams’ radars with the rise in remote working.

Many organisations create lists of permitted applications, without putting in place the measures to prevent unauthorised applications use. However, allowing employees to download whatever applications they please increases the risk of data leakage (e.g. employees transferring sensitive business data via Whatsapp), malware infecting your devices etc.

Minimise these risks by restricting downloading capabilities via your MDM.

Ability to remotely lock or wipe device data

If your employees ever use their devices outside of your offices, it’s essential that you can remotely wipe data from and/or lock them. The reasons for this go beyond offboarding. A laptop is stolen every 53 seconds, and a lost work laptop is estimated to cost a business over $49,000.

Offboarding remote employees is not as simple as asking them to clear their desks and leave their work devices behind. An employee retains possession of their work device until you can collect it, which could take weeks if they’re located in a hard-to-reach region, or communication is slow.

If you have the ability to remotely wipe your devices, you can wipe company data as soon as your employee’s contract is terminated.

About the author: Sami Bouremoum is the CEO of Hofy. Prior to founding Hofy, Sami led growth management and territory expansion at Samsara (a16Z unicorn), working on the logistics and operational issues associated with scaling teams across geographies. Sami also worked at Bain in management consulting and has a PhD from University College London in Computer Science.