FAL With average employee tenure shortening and turnover rates rising, your business is probably hiring and losing employees faster than ever. And if a former employee or contractor still has access to IT systems, accounts or emails after their employment ends, that can pose an existential threat to your organisation. Businesses don’t know who has access to their data – and it might cost them. A 2021 report by Beyond Identity shows that one in four professionals still have access to former employers’ accounts or information. Furthermore, the report also revealed that 41.7% of employees admitted to sharing workplace passwords. The risks of former employees having access to your data should be self-evident. But many businesses, particularly SMEs, are often blissfully ignorant of the risks posed by a laissez-faire approach to account security. As we’ve seen recently through high-profile cybersecurity breaches, businesses can’t afford a cyber attack. And part of best-practice cybersecurity principles is to ensure only authorised users can access your organisation’s accounts, confidential documents, and data. And while that might be common sense, many businesses aren’t doing it. A solution to the above is more complex than deleting your old employee data. As in doing so, you may also lose access to company accounts linked to them. For example, social media platforms such as Meta (Facebook and Instagram) and LinkedIn require a personal account to set up a business account. And for the sake of convenience, social media managers and staff use their accounts for this purpose. But what happens should that person leave your company and remove themselves from your page? If they were the only linked account, you might not be able to access your social media. Risks like the above are why your organisation needs a comprehensive policy around account access and security. And at the heart of any effective security policy should be the directive that no sensitive information leaves your organisation, no matter how trivial. Privacy Laws in Australia Privacy laws in Australia vary by state. Some states have stricter laws than others, and some may require you to notify the employee that you have removed their access. In Victoria, the Data Protection Act (2014) states that you must give written notice to the employee if you’re going to remove their access to any personal information. Furthermore, the process for ensuring people don’t leave your organisation with now-unauthorised access to company data is as follows: If an employer gave a former employee access to information on an IT system, the employer must remove the employee from that system within two days of their departure. If an employer gave a former employee a password to access the system, the employer must change that password within two days of their departure. The Steps to Maintaining Account Security 1. Make removing employee access a priority When an employee leaves your organisation, they’ll clean out their desk and return all company property such as a computer and office keys. And in today’s business environment, transferring and relinquishing account access is arguably the most important part of the offboarding process. Removing access to your company’s accounts is a simple process. If you’re running a small business, there’s a good chance that one person at the company has the password information and can change it easily. When hiring employees, it’s essential to ensure they have access to only what they need. There are several ways for companies to remove employee access from their accounts quickly: Collecting passwords from all current employees Creating new passwords for each account If required, provide in your employment contracts that all employees must transfer ownership of accounts associated with your organisation upon departure. 2. Track all departures and the permissions you need to remove. As we’ve already discussed, former employees may not be aware that they’re still using (or have permission to use) company resources after they’ve left your organisation. Additionally, you may want to track what permissions you need to remove from the employee’s profile or account after termination. By keeping tabs on this kind of activity, you can ensure your data remains safe from former employees who have access but no longer work for your company. 3. Make the process of removing employee access simple for everyone involved. To minimise the risk of sensitive data leaving your organisation, it’s essential to make removing employee access simple for everyone involved. Make it easy for employees to remove themselves by providing a self-service portal or email address they can use to request their accounts be locked. But don’t stop there—make sure you automate this process as much as possible so that IT doesn’t have to remove every user from every system manually. And remember to make the process easy for managers and HR! They’re often busy people who will appreciate having one less thing on their plates if possible. Best-practice cybersecurity precautions Prevention is always better than the cure. So to safeguard your business and its future, it is essential you take steps to keep your data within your virtual four walls. Firstly, ensure that you create all your organisation’s accounts with a general email address rather than an employee one. That way, when an employee leaves, you are still able to access organisational accounts through a general email address and are not left trying to access an ex-employee’s email account to retrieve a lost password. And with many websites now requiring a mobile number in addition to an email for two-factor authentication, you should consider using a work phone with its own number for this purpose. While you may be able to retrieve an ex-employee’s work email, asking them for access to their phone number will be an inconvenience at best and impossible at worst. Take stock of the accounts each employee has access to, and ensure that you change all passwords and security controls as soon as they leave. Part of the reason complying with the privacy act is in the “too-hard basket” for businesses is that it can be hard to keep track of ever-changing passwords. To assist with managing login details for the numerous accounts linked to your organisation, keep all login information in a spreadsheet, so authorised employees can easily find up-to-date login details. And perhaps most importantly, you must nominate a member or members of your team to be responsible for safeguarding your data. Conclusion Organisations need to control who has access to their systems and data. With the right tools and processes, removing employee access to maintain security controls can be quick and easy. But for a cybersecurity policy to be effective, it needs to be part of the legal fabric of your organisation. If you need help developing and implementing cybersecurity controls, contact our team .