Home » Access Management » IT Checklist for Employee Offboarding [Remastered]
it checklist for offboarding employees
Categories

IT Checklist for Employee Offboarding [Remastered]

There’s a lot of talk about onboarding and how to ensure that new employees settle well in the organization. Not frequently is onboarding viewed as part of a holistic employee lifecycle that culminates in offboarding upon resignation or termination of appointment. In fact, about 71% of companies don’t have a formal offboarding process in place.

Effective offboarding goes beyond simply retrieving company property and deactivating accounts. In fact, according to a study, 76% of IT leaders consider offboarding a significant security threat. When improperly handled, as it often is, offboarding can lead to significant losses for the organization.

The average employee turnover rate in the US between 2022 and 2023 was 17.3%. More so, the Bureau of Labor Statistics says that the turnover rate is increasing and the average work duration is roughly about 4 years.

One can imagine how much damage is being done when organizations fail to properly offboard departing employees. This article is a comprehensive dive that explains everything you need to know about creating a useful offboarding checklist.

In this article…

Offboarding Checklist Considerations

Effective offboarding is a thorough process that encompasses a wide range of considerations aimed at safeguarding the organization’s interests and supporting departing employees in their transition. In this section, we discuss the key components of a typical offboarding checklist; although, your actual checklist may differ based on your peculiar needs and resources.

  1. HR Duties

Managing the human elements of offboarding with care and precision ensures both positive employee relations and mitigates security risks. Coordinating with the employee’s manager and IT department to determine the final date of employment and plan the offboarding timeline.

  • First of all, HR personnel should collaborate with the department of the exiting employee to gather essential information such as the last working day, reasons for leaving, level of access, and so on.
  • Clarify and provide information on final paychecks and benefits applicable, including ensuring the payout of any accrued bonuses
  • Retrieve company property including security badges, keys, computers, mobile devices, and other assets from the departing employee. 
  • Ensure that all the necessary paperwork related to offboarding, including confidentiality agreements and any other necessary documents, are duly completed.
  • Communicate the offboarding process and relevant updates to key stakeholders
  • HR may offer support resources or outplacement services to the departing employee, depending on the company policy and individual circumstances
  1. Authentication/SSO

As an employee leaves the organization, it’s crucial to promptly revoke their access to all systems and applications to prevent unauthorized entry and safeguard sensitive data.

Offboard employees easily with SCIM 2.0
  • Identify all the systems and applications to which the departing employee had access. Then IT administrators can proceed with revoking access to each system and application systematically.
  • Automation can streamline the process by automatically disabling user accounts and revoking access privileges based on predefined triggers, such as an employee’s termination date or HR notification. Uniqkey leverages SCIM 2.0 for seamless Azure AD integration with the benefit of simplifying user provisioning and automating role assignment 
  • IT teams should review and update any SSO configurations to reflect the changes in user access rights accurately, including network access, internal applications, cloud platforms, and any third-party integrations.
  1. Remote Access

Working remotely comes with a lot of handy tools, like VPNs, remote desktops, and cloud apps. But when someone leaves the team, you need to carefully lock down their access to these. Especially around their last day, watch out for any unusual file transfers.

That means reviewing the different technologies they use to connect from outside the office, whether it’s virtual private networks (VPNs), remote desktop apps, or cloud tools like email and file sharing programs.

Going through methodically will help make the transition secure for both the employee and the company.

  1. Passwords and Shared Accounts
  • Configure systems to automatically reset the departing employee’s passwords upon account deactivation, preventing unauthorized access attempts.
  • Use a centralized password management platform such as Uniqkey to automatically de-provision accounts belonging to departing employees. 
  • For shared accounts the employee might have accessed, consider immediate password resets and access permission reviews for remaining users.
  •  If MFA or 2FA was enabled, revoke access to all associated tokens or authenticator apps to prevent unauthorized logins.
  • Temporarily increase monitoring of shared accounts and systems accessed by the departing employee during the initial offboarding period, looking for anomalous activity.
Uniqkey Password Vault Mobile App
  1. License Revocation/Reassignment
  • When an employee is leaving, look at what software they had access to or licenses assigned to them. Go through those applications and subscriptions and figure out what needs to be cancelled, downgraded, or transferred to someone else on the team.
  • Especially take note of cloud-based or per-user licenses to stop any recurring fees promptly when the employee is out the door. The last thing you want is to keep paying for something no one is using anymore. 
  • Make sure to communicate with the software vendors too – let them know if a license is ending or moving over to another employee. That avoids any billing issues down the road and keeps you compliant with the agreements already in place.
  • Most importantly, follow the specific legal terms laid out in each software contract as you make these changes.
  1. Email Address Security

Employee emails are a vulnerable spot because they contain a lot of critical information that must be protected once an employee leaves.

  • As a first step, set up an auto-forward to route any new messages to another teammate or shared mailbox so nothing slips through the cracks.
  • Stick to your retention policies by archiving any legal, contractual, or business-critical emails before deactivating the ex-employee’s account.
  • It’s good business to let key internal and external contacts know that the employee has departed. This avoids confusion and prevents potential phishing attempts using their name.
  • Keep an eye out for improper use of the former employee’s email too. Quickly sniff out any phishing or fraud tries using their address.
  • When reviewing email contents, make sure you follow proper data privacy protocols if they have personal information about the employee.
  • In addition, have a transition plan for ongoing client or partner communications that may have flowed through the departed employee’s inbox. You don’t want to lose their institutional knowledge.
  1. Asset Recovery
  • As an employee is leaving, you need to account for all the technology resources they had through their work – laptops, computers, phones, software access, and any other IT equipment provided.
  • Early in the offboarding process, communicate the expectations to return these items. Be clear on deadlines to turn things in, where to send them, and what condition is acceptable. Setting guidelines upfront avoids misunderstandings.
  • For any devices not physically collected, securely wipe data remotely. This ensures you erase sensitive information per regulations even if the equipment is not turned in.
  • As items are returned, document everything so your asset inventory stays current. This closes the loop by reconciling what has been handed back versus what may still need retrieval.
  1. Storage and Backups

To achieve this successfully, it’s critical to clearly differentiate between personal and company data, respecting individual privacy rights while prioritizing organizational data security.

  • Start by double-checking that any work files or data they owned is captured in recent backups. That way you can access or restore anything critical after they depart.
  • It’s also good practice to schedule some extra system backups near their end date. Especially for networks or apps they had admin privileges on. Having those additional snapshots makes recovering quicker if something goes wrong during the transition.
  • Refer to your data retention policies to see how long you legally/contractually need to keep the ex-employee’s information. This helps you store their data properly based on business needs while also meeting compliance requirements.
  • For any archived data from the departed employee, use secure storage solutions with access controls to prevent unauthorized access. This helps guard against potential data breaches.
  • Maintain detailed records of data deletion activities, including timestamps and specific data sets removed, for audit purposes.
  1. Exit Interview

During the exit interview, focus on gathering unbiased feedback and avoid defensive reactions to criticisms. In addition, by asking open-ended questions and engaging in active listening, you will capture valuable and sometimes unexpected feedback. Afterward, communicate relevant feedback with leadership and offer further resources or support services for the employee’s transition to their new role. 

Reasons for an Offboarding Checklist

This section delves into why an offboarding checklist is necessary in the first place. So many organizations only focus on the initial stages of an employee’s journey (recruitment and onboarding) and they ignore offboarding. Why should you care? Read on.

  1. Facilitating a Smooth Transition

A structured offboarding process minimizes disruptions to ongoing projects and workflow, maintaining business continuity. A well-drawn checklist will outline specific steps for the employee, the company, and any third party involved, ensuring that everyone understands their roles and that there is less room for confusion or delays. 

  1. Legal and Regulatory Compliance

Several laws and regulations could be applicable when an employee is departing the company, covering various areas such as final pay, benefits termination, personal information, COBRA notification, non-disclosure agreements, non-compete contracts, and so on. 

And all these involve some form of documentation or the other; it only makes sense that there is an established protocol to keep track of everything that is required on the legal front to avoid incurring unnecessary liabilities.

  1. Data Security

Another critical factor is avoiding heavy losses through data breaches. Offboarding situations can be such vulnerable moments for the company due to all the handover activities. Being able to manage employees easily from a central platform and delegate access on a need-to-have basis increases oversight and control. 

A disgruntled outgoing employee, for instance, may exfiltrate data or try to compromise the company in some other way. That’s why robust data security measures must be implemented during the offboarding process to limit risks and vulnerabilities. 

  1. Positive Employee Experience

As an organization, you want to stay true to the reputation of being an excellent employer. One of the best ways to show how much you care for employees is when they are leaving. 

Such moments are already difficult for the departing employees as well as their immediate colleagues, the least you can do is to make it a positive experience by expressing gratitude for their time at the company, transparently communicating the steps for onboarding, and overall treating them with respect.

  1. Seamless Knowledge Transfer

When employees depart the company, especially those who stuck around for a long time or have made significant contributions, you want to ensure that their knowledge, expertise, and domain insights are retained within the organization and disseminated to other team members. 

By documenting the onboarding process, you can extract a lot of insights from how the outgoing member did their job, thereby preventing critical information loss. 

  1. Maintaining Relationships

There’s a reason major tech companies, as well as young startups, maintain an alumni network of past employees. An employee leaving doesn’t have to be acrimonious. Maintaining friendly relations with a departing employee can foster future collaborations, bring referrals, create mentorship opportunities, and help maintain a verified talent pool for future hiring needs. Without an excellent offboarding process, this can’t be achieved. 

How to Create an Offboarding Plan

An offboarding plan must be an integral part of the company’s human resources processes, not an afterthought or a nice-to-have. Therefore, creating an offboarding plan is one of the core responsibilities of the HR department and it must be carried out in a thorough manner. Here are some steps involved in the process: 

  1. Identify Stakeholders

It’s important to determine those who will be necessarily involved in the offboarding process as stakeholders. 

Key stakeholders typically include human resources, without a doubt, as well as the IT department, the departing employee’s managers, their colleagues, the legal department, the departing employee’s team members, and the departing employee themselves. More elaboration on necessary stakeholders is discussed in the following section.

  1. Clarify Goals and Objectives

There must be clear objectives to determine what exactly the checklist aims to achieve; that then informs how the alignment will be achieved. 

For instance, your primary goal might be to enhance data security when employees are leaving. Then, your checklist will be more IT-focused. If you are more concerned about contractual agreements, you will be dealing with legal more. And so on, and so forth. 

  1. Assess Past Processes

Whether you have an offboarding plan in place already or not, you need to critically evaluate how past employee departures were handled. This enables you to discover what aspects to improve upon and what gaps to address when creating a new plan. 

  1. Establish Monitoring and Evaluation Process

When you create your offboarding plan, you must be able to monitor and evaluate key metrics such as checklist completion rates and times, satisfaction scores, rehire eligibility rates, and so on. Analyzing the data later will help you identify patterns and recurring issues that need addressing. 

  1. Design the Checklist

Once all the previous steps are in place, then it is time to create the checklist itself, which should be a comprehensive document outlining all the necessary steps and tasks involved in the offboarding process and explaining the basis for each. 

You might have to make several drafts, reiterating based on feedback and ensuring that resources can be adequately allocated for the offboarding plan. Tasks should be grouped logically and clear and concise instructions should be used. 

  1. Refine the Template Over Time

Don’t expect your onboarding checklist to be a static document. Expect and ensure that it will be refined based on data gathered from the results of your monitoring processes. 

By incorporating feedback and data gathered through your monitoring and evaluation process, you can continuously refine it. Also, try and integrate learnings from industry trends and external resources.

Key Actors in the Offboarding Process

Now, it’s time to discuss the major characters involved in offboarding. Identifying these people in your plans helps you to adequately allocate responsibilities and resources to ensure a successful offboarding process.

  1. The Departing Employee

It needs to be clear that the departing employee plays no passive role in the offboarding process. 

They remain an employee until their last day and must thus be encouraged to ensure a smooth transition by completing assigned tasks, documenting knowledge, returning company property in their possession, handing over projects to colleagues, and carrying out other requirements as may be communicated with them. 

  1. The Employee’s Manager

The manager or supervisor is tasked with working with HR and other teams to create a handover plan, identify knowledge gaps, and assign tasks. They are a critical point of contact for questions from all teams and parties involved in the offboarding process and thus play a very key role. 

  1. Human Resources

The entire offboarding process is coordinated by the HR department, particularly the administrative aspects. Some of the key responsibilities include completion of exit paperwork, handling benefit terminations, updating personnel records, and communicating offboarding procedures to relevant departments. 

HR also conducts exit interviews and provides feedback to the management on areas for improvement in company strategy. 

  1. IT Department

The IT department is mainly responsible for safeguarding company data and assets during the offboarding process. Thus, they must be carried along fully to ensure that no costly gaps remain open after the employee leaves. 

They also provide technical support to every other stakeholder involved in the offboarding process to ensure that goals are achieved smoothly. 

  1. Finance Department

Of course, the finance department processes the employee’s final payroll as well as any outstanding reimbursements or expenses. They also activate the cancellation of benefits and update financial records accordingly. 

Finance also has to collaborate with other departments, for instance, IT on the revocation of software licenses and Legal on tax regulations. 

  1. Legal Department

It is no surprise that employee exits often come with legal risks, most of which can be mitigated simply with a solid offboarding plan. 

The legal team will review all contractual obligations entered into by both parties (the company and the departing employee) to ensure compliance. They also provide guidance to HR and management on legal requirements regarding labor laws, severance, and the like. 

  1. Facilities Management

The facilities management team handles all the logistical aspects of departure such as office moves, furniture changes, access badging, and the like. The team is also responsible for retrieving all physical assets from the departing employee. 

However, in the age of remote and hybrid work, a facilities management team might not even be needed at all. 

  1. Co-workers and Team Members

Colleagues, especially the team members of the departing employee must also be duly carried along in the offboarding process. 

They may also contribute valuable feedback during exit interviews, offering insights into team dynamics, workflow processes, and areas for improvement within the organization. Any farewell events or gestures must also be coordinated appropriately.

How to Make Offboarding Secure

The most important aspect of an offboarding process is ensuring security. And this is where the role of IT is critical. An offboarding process that is not adequately secured is as good as having no offboarding process at all. In this section, we look at various aspects of offboarding security to guarantee success. 

  1. Check Privileged Access

To prevent data breaches from compromised offboarding, you must adopt the principle of least privilege, which says an individual should have no more access than is required to fulfill their duties. You don’t have to wait until the final day to revoke all access. 

You can progressively do so as they hand over their responsibilities in the final days. So, on the last day, all they’ll be left with is very basic access that can then be revoked at once. Uniqkey provides a seamless implementation of access control as well as informative dashboard reports so admins can easily manage access and login privileges. 

  1. Mitigating Insider Threats

Improperly handling the offboarding of employees creates a leeway for insider threats. In the final days of the employee’s time at the company, it’s critical to be extra vigilant and intensify monitoring (without privacy-breaching surveillance) to guard against data exfiltration attempts. 

And even after an employee leaves, they may still pose a risk due to residual access or malicious intent. Strict offboarding principles implemented will enable the company to secure its data. 

Insider threats can harm companies across all industries, as demonstrated by three well-known cases, highlighting the importance of prevention and detection.

  • Tesla: Two ex-employees leaked over 75,000 Tesla workers‘ personal and sensitive data, including customer bank details and company secrets, to the press, causing irreversible damage to the company’s security reputation. The data breach caused by former employees led to irreversible damage to the brand’s security reputation, despite legal actions.
  • Yahoo: In May 2022, Yahoo research scientist Qian Sang took confidential data on Yahoo’s AdLearn and about 570,000 pages of IP right after getting a job offer from rival The Trade Desk. Yahoo, discovering the theft weeks later, including a competitive analysis of The Trade Desk, sent Sang a cease-and-desist letter.
  • Yahoo has charged Sang with stealing IP data, claiming this theft gave competitors a significant advantage.
  • Twitter: In July 2020, hackers used a phone scam to breach Twitter, targeting employees and hijacking 130 high-profile accounts for a Bitcoin scam. Though the financial damage was minimal and victims were reimbursed, it underscored Twitter’s significant influence and major security weaknesses.
  1. Compliance with Regulations

Not implementing adequate security during the offboarding process can get you in trouble with the law, especially when customers’ personal data is involved. Thus, HR, Legal, and IT departments must work together to ensure that the company handles its responsibilities properly throughout the offboarding process. 

A critical aspect of this is ensuring proper documentation of all offboarding procedures, including access revocation logs, data deletion records, and exit interview summaries. This documentation serves as evidence of compliance in case of future audits or investigations.

  1. Protect Intellectual Property

According to a report by DTEX, at least 12% of employees take sensitive IP with them when leaving an organization. This includes customer data, employee data, health records, sales records, etc. 

This is why you need to identify any critical IP a departing employee has knowledge of and enforce necessary agreements to ensure that an employee’s departure doesn’t expose your company unduly.  Even after the employee has left, you may still send soft, infrequent reminders about their non-disclosure obligations. All these are important steps to enforce necessary security. 

  1. Automate Where Possible

Depending on the size of your organization and the nature of the business you conduct, an offboarding checklist might contain an overwhelming number of steps, if you must be thorough (and you should). 

Automating parts of the process such as access revocation, data deletion, and device collection increases speed and consistency. Uniqkey’s features revolve around automating password and access management to simplify compliance and combat inadvertent shadow IT from inadequate onboarding security. Less manual hurdles enhance productivity.

  1. Data Loss Prevention

Prior to departure, implement controls around data movement. This goes beyond simply revoking access. But you must also conduct a forensic analysis of the terminated employee’s devices for any unauthorized exports of data. Ensure they do not retain access to company data in personal cloud/email accounts. And set up rules blocking emails to competitors or restricted entities. 

Because ensuring data integrity throughout the offboarding process is key, implementing DLP solutions across your network and endpoints can help monitor and restrict unauthorized data transfers. This includes blocking sensitive data types from being sent via email, USB drives, cloud storage, or personal devices.

  1. Strong IT Onboarding

A successful offboarding process begins with a strong onboarding process. From the outset of employment, clear policies and procedures should be established regarding data handling, access management, and security protocols. 

Providing comprehensive training to employees on cybersecurity best practices can instil a culture of security awareness and responsibility, which carries through to the offboarding phase. Never wait until employees are leaving to adopt all these controls; they should be integral to your work right from the beginning. 

In this day and age where cyberattacks are rife and cybercriminals are well-equipped to latch on to even the tiniest loopholes, knowing how to securely handle employee offboarding is like gaining a superpower. Implementing strong controls to ensure that both the organization and employees are protected throughout the process is non-negotiable.

Balancing IT Security and Employee Relations

When an employee leaves a company, it’s crucial to manage the transition in a way that protects the organization’s IT security without damaging the relationship with the departing staff member. Here’s how businesses can strike this delicate balance through effective offboarding strategies.

  • Educating Departing Employees: While HR departments typically spearhead the offboarding process, IT teams play a critical role in ensuring a secure transition; one key aspect is educating departing employees on the importance of handing over digital assets securely. This involves briefing them on the process for transferring files, revoking access to company system and returning any company-owned hardware.
  • By involving IT in the offboarding process, companies can help departing employees understand their role in safeguarding company data; this approach encourages cooperation and emphasizes that the process is a standard procedure aimed at protecting the company’s digital assets, rather than a lack of trust in the individual.
  • The Human Element: The final phase of offboarding should focus on preserving a positive relationship with the departing employee; this is where the human element comes into play. Offboarding is not just a procedural necessity; it’s an opportunity to part ways on good terms. By treating departing employees with respect and dignity, companies can maintain a positive employer/employee relationship even after the separation.
  • This respectful approach reinforces the idea that IT security measures are about protection, not suspicion. It acknowledges the contributions of the departing employee while ensuring that the company’s digital assets remain secure. In doing so, businesses can foster a culture of security awareness among all employees, highlighting the shared responsibility for protecting sensitive information.

Frequently Asked Questions

How long before an employee’s departure should we start offboarding?

Start the offboarding process as soon as the employee’s departure is confirmed, ideally at least two weeks in advance. This allows ample time for a thorough handover of duties and securing company assets.

What are the differences in securing offboarding for remote vs. on-site employees?

For remote employees, focus on securing digital access and retrieving company-owned hardware via mail or courier. For on-site employees, the process also includes physical aspects, like returning office keys and ID badges. Both require revoking access to digital assets, but remote offboarding may need additional steps to ensure digital security.

Are there legal regulations we must comply with during offboarding? (EU-specific)

Yes, in the EU, you must comply with regulations like the General Data Protection Regulation (GDPR) during offboarding. This includes ensuring the privacy and protection of the departing employee’s personal data, properly handling data deletion or transfer, and adhering to any legal requirements regarding employee data and rights.

Uniqkey
Written by

Uniqkey

Uniqkey is the perfect password management solution for teams and businesses. Built with high usability in mind, Uniqkey makes it easy for employees to adopt secure password habits, raising company-wide security in a simple and effective way.