Before an Employee Leaves, Get Passwords Under Control

Letting someone go can be complicated. Even when the departure is amicable, the event can have a significant impact on the productivity of other workers and processes at the organization. And if it's not amicable, your business may have to deal with a quickly-escalating situation. While you can't always predict what will happen or prepare for every possible outcome, you can put best practices in place long before you're in the position of letting someone go. Putting the right framework in place significantly reduces the damage someone could do – and may keep someone from even trying. Part of that preparation means implementing the right approach to passwords and employee access.

What happens when you don't have a password process:

These stories pop up in the news regularly, but one recent example is the case of The American College of Education and their disgruntled ex-IT admin. After a disagreement about relocating, the IT employee was fired. Although there's a dispute about what actually transpired, by the time the IT employee handed back his company laptop, the college no longer had access to the email system and other data for their entire student base. As the Huffington Post reported, "The problem, however, was the password to an online Google account that stored email and course material for the college’s 2,000 students. Williams changed it — and didn’t tell anyone. He said the password was auto-saved on his company laptop that he returned, but the college said he erased the hard drive. Google wouldn’t comply with the college’s request to access the account because Williams was individually named as the sole administrator and not the company. Everyone was at an impasse." This may be an extreme case, but the college made several key mistakes that led to this situation:

1. They allowed an admin to manage a key service under the name of an individual, instead of the organization's.
2. They did not have centralized ownership and control over passwords.
3. They did not immediately reset the password after the employee left.

The password framework you need – before someone leaves.

Businesses need to protect their data from bad actors, outside and inside the organization. While you may need to put a high level of trust in an IT team in particular, putting the right systems and tools in place can still minimize the risks and discourage vindictive behavior. Even if you won't be firing an employee any time soon, here are some ways to protect your business against vindictive employees as well as external threats:

• Set up a business password manager to be used by every employee within the organization.
• Centralize all passwords and other critical documentation in the password management system.
• Only share those passwords that an employee needs to do their job, and nothing more.
• Ensure every shared login uses a strong, randomized password created with a password generator.
• Revoke access to any shared or privileged accounts the moment an employee is fired.
• Change the passwords for all privileged, shared, or critical passwords that the ex-employee had access to.
• Do not leave disabled accounts hanging around in your systems; it's an invitation for abuse. Delete and purge.
• Keep an eye on access and reporting logs to spot anything unusual.

If you have a good password management solution in place, these fail-safes are built-in and automated to reduce the workload on an IT team while ensuring maximum security. It's not just a good protection against ex-employees – it also ensures continuity if something happens to an employee. This foresight is especially critical for IT admins who have to manage core business systems and accounts. Hopefully your business will never be in the position of dealing with a violent or vindictive ex-employee. If you do find yourself letting go of a disgruntled employee, taking the steps in advance to secure passwords and lock down access to corporate systems will go a long way towards protecting your company from their actions.