What’s one of the most important, yet pain-staking and time-consuming tasks to tackle? Offboarding employees.
You know it, we know it.
But if offboarding isn’t done properly, a whole bunch of security risks — and incidents — can crop up.
Take passwords, for example. In a recent study, 47% of employees admit using their former employers’ passwords to access accounts after leaving their organization.
( Yup, that’s definitely not good. 😱)
That’s for passwords — imagine what all of the security risks might be for offboarding SaaS applications, especially when organizations across the globe average about 110 SaaS apps. Scary, right?
There’s been a lot of employee turnover in recent years, especially now with layoffs and economic uncertainty. As a result, securing the offboarding process is more of a struggle than ever before.
Offboarding has so much complexity to begin with, and that’s only compounded by the diverse and increasing amount of tech employees use. And there are more challenges when employees are working hybrid or remote, too.
SaaS applications are one of those areas that causes all kinds of headaches. Given that organizations use hundreds (or even thousands) of SaaS apps, it’s a grind to understand and manage what’s happening in the entire SaaS stack.
But proper offboarding actually starts at the onboarding stage. For instance, some users may have or gain extraneous permissions to SaaS apps from the get-go, allowing sensitive data to be easily viewed, exported, or shared.
Or some employees use SaaS apps without approval from IT and security, installing new tools or linking them to their personal accounts. (Hello, shadow SaaS!) Employees may become targets — if not victims — of threat actors trying to gain access to an organization’s sensitive data.
The more SaaS apps used by employees, the more the apps impact offboarding. Without an effective process, maintaining SaaS compliance, governance, and security only gets more challenging. In some cases, former employees can still access SaaS apps outside of their organization’s single sign-on (SSO). Or threat actors can access sensitive data through the apps’ local user credentials — even if an employee’s credentials are revoked.
Offboarding (in theory) is easy, but it’s not. Maybe the tools or resources aren’t there to facilitate offboarding. More often than not, offboarding is done manually — making for a time-intensive, potentially error-prone task.
Deleting all corporate application accounts for one former employee can take up to one hour. And that doesn’t include canceling an employee’s access to their devices and networks.
Improper offboarding has broader implications with budgets and resources. Take licensing, for example. After employees leave, the SaaS applications remaining on their devices may not get transferred or removed. The SaaS licenses remain active long after they’re gone — and are at risk for being compromised.
With the current state of the economy, costs are a huge factor. Getting a full picture across the entire SaaS app landscape can provide actionable visibility into spend. Specifically, where redundant apps, or underused or duplicate SaaS licenses are.
Beyond spend, actionable visibility also gives insight into SaaS security risks like shadow SaaS, weak access controls, and incorrect settings configuration.
Understanding what’s going on in the entire SaaS stack saves countless hours, eliminates mistakes, and makes the entire offboarding process much easier.
"Culture is the foundation for any high-performing team. We all process information differently, we listen differently. We come from different backgrounds and experiences. No matter who you are, I want to know that. I want to understand what makes you you and treat you the way you want to be treated, not how I project myself onto you.”
— Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (CISA)
“[Create an environment] where people can understand when they can take time off and not feel like everything is going to fall apart. [Where] they have a plan for their career and how they’re going to grow. [Where] they have time to be with their friends and family enough not to be burned out."
— Deidre Diamond, founder and CEO of CyberSN and Security Diversity
“Actively invite engagement, listen with purpose, and look for signs of burnout. You can't expect everyone to feel equally comfortable expressing an opinion, and so it's important to solicit feedback at times as opposed to always passively expecting it. When you are getting engagement, listen with purpose. Make an effort to not only hear what's being said, but understand and empathize. Lastly, look for signs of burnout. … If you're noticing signs of burnout on the team, look for ways to intervene, like ensuring adequate team resourcing/load balancing to create a healthy work/life balance for everyone, and that team members are able to take PTO."
— Daniel Trauner, senior director of security, Axonius
“We need an environment where failure is not only tolerated, but an understood aspect of innovation. Our attackers are failing forward every single day, [and] we deserve the ability to do the same if we are going to protect our people, data, and organizations.”
— Chris Cochran, co-founder at Hacker Valley Media and creative director at Axonius
41 Madison Avenue, 37th Floor
New York, NY 10010
.png "Dan Trauner blog quote")
