How To Reduce Third-Party Risk - Part 4 of 4

June 16, 2020

Part 4: How to Reduce Non-Employee Access Risk: Standardize Offboarding and Termination

Non-employees, such as contractors, are often transient. As such, they are a greater potential source of data leaks. According to a survey by Osterman Research, 89% of those leaving an organization continue to have access to proprietary corporate data after they are no longer employed.This adds considerable risk and can take a company outside of compliance with data protection laws, including the EU’s General Data Protection Regulation(GDPR), for example.

Offboarding employees continues to present one of the greatest risks, and access management is at the foundation of the problem. Just over one-in-four (26%) respondents to a survey said it can take more than a week to fully deprovision an employee, leaving a gap in security processes.

Tips to successful offboarding

Have a standard and efficient offboarding process

Offboarding must be structured to reduce risk. A centralized repository, explicitly built for non-employee management, standardizes the process to offboard. When non-employees leave, they often do so in an informal manner. Access can be easily forgotten in the move to another client/company, many of whom may be direct competitors.

Put in place formal procedures that are controllable from a single “exit door.” When termination occurs, have the off-switch ready. This ‘switch’ allows you to execute access protection actions across IT systems, including hyper-distributed cloud apps, protecting your data across its lifecycle.

Think beyond traditional termination

Terminated contracts and engagements are not the only reason to kick off an offboarding process. To maintain trustworthy access data, ensure the process includes access management for major changes in users such as transitions to new teams, new locations, and more. In these cases, though the non-employee may not go through the entire offboarding process, access to certain systems may no longer be required for new roles and should be offboarded as such.

Remember that offboarding is not only about people

Without a formalized offboarding procedure, non-employees can and do fall through the gap, opening up security holes in your access control measures. The same is true for system management accounts and IoT devices. When these devices are decommissioned, centrally processing the offboarding of these accounts and devices can also help preserve trust in your data.

A standard offboarding process is necessary to control data access and cyber risk to organizations.

Download this blogBack to blog

View Linkedin