Your employees need access to your various business accounts so they can do their job, but what happens to those passwords when you fire them? Nobody likes to think of firing their employees, or why you’d need to, but nonetheless it’s a responsibility every business owner must face at some point. While your accounts team will no doubt be on top of stopping their paychecks, it’s important to take the same proactive stance to strip their system access.
Most of the time, the former employee leaves under good terms and you’ll wish them well. If you’re lucky, they’ll even manage hand-over to their replacement so your productivity losses are minimal. Other employees may leave your business reluctantly or in a storm of anger and suspicion. While you’ll have very different feelings about the two scenarios, the risk to your business remains high until action is taken. Here are 3 steps you can take to protect your business from retaliation and other password-related disasters.
Set your business up for success
There are many different ways to set up your business in terms of technology, but there is also a right way. Certain considerations need to be made when choosing how your employees interact with your data and systems. Access to important information should NOT be dependant on one certain person and that only they may know. For instance, are they using company provided computers or their own? They may not let you get your data off a personal computer if they leave on bad terms. Or, are they allowed to put e-mail on their phone, and if so how can that be removed if the device is not available to access? Also, something as simple as accessing a vendor account (ie Staples, Amazon, Mediacom, or Centurylink) after they have left can be very difficult if your employee was using a personal e-mail address. Have a plan and policies in place to prevent these sorts of problems and the departure of an employee will MUCH easier and less damaging to the company.
Have a plan ready
I know from experience, a termination can happen at the worst times. Then, you are scrambling to try to remember what needs to be done in what order…all while trying to handle the daily business of that employee plus your own. You need to have a termination plan figured out and ready. How do you change passwords? What services do you need to stop first? Do they have a personal device that you need to remove company e-mail from? All of this needs to be written out in a document that you can use to handle the situation quickly and efficiently, without missing a step in the heat of the moment.
Limit access to a need-to-know basis
You might be surprised how often a new employee is presented the entire business on a platter when their actual job requires little more than a computer login. Accounts, strategy, customer details, industry secrets…all those sensitive aspects of your business that have made it a success – exposed. A better policy is to limit access to only what the employee needs to do their job. Rather than view it as a lack of trust, your employees will appreciate the care you’ve taken to protect your business (and their job). It also helps keeps them from being overwhelmed, confused or tempted if the situation ever turns sour. Likewise, take a few moments to delete old or temporary accounts that are no longer required, as you never know when a hacker or disgruntled employee will squeeze through the gaps.
Change passwords fast
On average, it takes at least a week before passwords are changed after an employee is fired, if at all. Unfortunately, this is the one type of delay your business can’t afford. In 2017, an ex-employee from the American College of Education held their entire email system to ransom for $200,000 after an unhappy exit. Stories of others stealing client databases are also common, especially as they leave to start their own business or work for a competitor. It’s not just full-time employees either, contract and part-time employees such as social media managers and customer support email specialists often have access to more of your business than you might imagine. Recent rulings make it easier for business owners to prosecute former employees who access their systems, however as we know, it only takes seconds to login and wreak absolute havoc. Knowing you can force those bad eggs into a lengthy court case is poor comfort considering the extent of damage you’ll likely endure. The best option is to change passwords fast – even before your employee knows they’re fired. This lessens the chance of revenge attacks and opportunistic access. Also, make sure that accounts are set up with recovery addresses that you control. I have seen very important vendor accounts locked after the employee left, even though the password was changed because the employee had their personal e-mail address as the password recovery address.
Use a password manager
If you have good password manager like LastPass, reducing your risk becomes mostly automated. You’ll be able to keep your logins in a central vault that only you can see, and share based on business roles/need. There’s even an option to share passwords without letting employees see them in plain-text. Instead of writing passwords down somewhere and manually entering them each time, they’ll be able to connect securely with a click. Plus, you can revoke the share at any time. If their role changes or they’re fired, you can use the dashboard to see who is having access to what and add/revoke at will. If you’re not sure what that employee has been up to, you can also generate reports of their history.