Never underestimate the havoc a disgruntled employee can wreak on your organization . We've said before the greatest cybersecurity threat to your organization is your own employees. But what about the employee that intentionally steals company data or attempts to ruin a business's reputation? The disgruntled employee threat is so real that even homeland security made a PSA about it: "There has been an increase in computer network exploitation and disruption by disgruntled and/or former employees. The FBI and DHS assess that disgruntled and former employees pose a significant cyber threat to US businesses due to their authorized access to sensitive information and the networks businesses rely on."
The disgruntled employee shouldn't be a threat if you have proper procedures in place when terminating an employee. Furthermore, IT and HR should work together when properly offboarding a terminated employee, especially if your company works in an industry that needs to remain compliant with any laws that require data retention, such as the Sarbanes Oxley Act. IT should be immediately notified when an employee is terminated, or if an employee resigns, they should be made aware of the resignation date ahead of time. All computer, network, and data access should be revoked in a prompt manner and documented in the event of an audit and legal purposes.
Whether it's the disgruntled employee or the loyal employee of 20 years who retires, your termination process should look something like this:
Physical access and physical assets: all equipment should be turned into HR or the employee's supervisor immediately. That includes keys, badges, laptop, tablet, cellphone, security token, etc. Having a checklist during this process would be beneficial so no item goes unnoticed. Take it one step further: have the employee sign off on the checklist ensuring all property is turned in. The employee should not be able to access any parts of the building that have restricted access after they hand in all of their equipment. If there is a code the employee has to get into the building, change the pin number.
Disable internal accounts and revoke network access: accounts should be deactivated in Active Directory (if applicable). Make sure emails are forwarded to another employees email address in the interim. Determine if anyone needs access to the employee's network drive.
Phone access: change the voicemail password and have calls forwarded to another extension if necessary. Make sure any email address associated with a smartphone is wiped from the phone.
Remote access: be sure VPN access is revoked. If the employee has access to any websites or software that can be accessed offsite, change the password or deactivate the account. Social media is a good example of this. If other employees have access to shared accounts with the employee who has been terminated, let them know the password will need to be changed. This is where it would be beneficial for organizations to use a password manager such as LastPass. With LastPass, employers are able to share passwords with their employees that are hidden within the password manager itself. That way the employee will never know the passwords that are shared with them to various websites. Employers would also be able to revoke the employee's access to LastPass, so there would be no need to change any shared passwords.
Revoking accesses of terminated employees should always be done promptly, but in the case of the disgruntled employee, it should be done with urgency. Your organization's security and reputation depends on it.