With the increase of SaaS apps in the workplace, it can take hours to just offboard one employee. Its time to tackle this issue, and offboard fast, and securely.
BetterCloud Whitepaper: Offboarding Inefficiencies and Security Threats
1. W H I T E P A P E R
Identifying and
Eliminating Employee
Offboarding
Inefficiencies and
Security Threats
2. info@bettercloud.com | (888) 999-0805 2
Table of Contents
Offboarding as an Organizational Issue ................................................... 3
3 Reasons Modern Day Offboarding
is Getting More Complex ............................................................................. 4
The Top 4 Threats Posed by Improper Offboarding
(and How to Address Each) ......................................................................... 6
5 Key Benefits of Orchestrated Offboarding ......................................... 10
Case Study: SaaS Offboarding Orchestration
in the World of High-Tech Venture Capital ............................................. 12
3. info@bettercloud.com | (888) 999-0805 3
Offboarding as an Organizational Issue
First of all, we want to
offer our apologies for any
inconvenience. Unfortunately,
an ex-administrator has
deleted all customer data and
wiped most servers. Because
of this, we took the necessary
steps to temporarily take our
network offline.”
Message posted on verelox.com after
an improper offboarding incident.
“
As of this writing, Verelox, a virtual and
dedicated server provider, has yet to relaunch
its site after an ex-employee was improperly
offboarded. That’s 30+ days with no website,
likely leading to severe losses of both
customers and revenue.
It’s time for everyone, from investors to IT, to own
up to a harsh truth. Neglect is no longer an option.
Verelox is a victim of a phenomenon that shows
zero mercy, turning successful companies into
skeletal ruins (see also: RealityCheckNetwork).
How is it possible that this little talked about
topic that is a vital operating aspect of every
organization is often masquerading as a
checklist chore for a newly hired IT admin?
Every department and every employee
has (or will one day soon) be affected by
offboarding.
But a closer examination shows that
offboarding departing employees has
become extremely complicated in today’s
modern workplaces. Data lives in multiple
siloed applications, some sanctioned by IT and
some not, and often there is no way for IT to
take action quickly enough (if at all) to prevent
potential catastrophes like those above during
offboarding.
Executives should care because offboarding
affects the bottom line, under the guise of
data breaches, failed compliance, hindered
productivity, data loss, and even loss of
revenue. Every employee should care because
improper offboarding can cost them their jobs,
lead to identity theft, litigation, and lifelong
negative career impacts.
It’s time to know the threats off offboarding and
start working toward a solution.
4. info@bettercloud.com | (888) 999-0805 4
3 Reasons Modern Day Offboarding
is Getting More Complex
The Gig
Economy
The employee that sticks around for 10-plus years
is a rare one indeed. It’s common now to change
jobs after couple of years. In fact, the Bureau
of Labor Statistics confirms that as of 2016, the
average employee changes jobs every 4.2 years,
down 9% from just two years prior. This number is
only going to decrease in the future.
This type of turnover is nothing new. But
the technology involved is. SaaS has altered
the playing field, and as a result, most
companies approach to offboarding is ad
hoc. Despite the frequency, inevitability,
and potential to cause chaos, offboarding is
nothing more than a PDF checklist.
What’s more, with the rise of freelancers,
contractors, and consultants, “turnover” is more
prevalent than ever. So much so that the trend
has been dubbed the “gig” economy. Already,
freelancers make up 35% of the U.S. workforce.
By 2020 (less than three years away), experts
believe this number could rise to nearly 50%.
What happens when companies are working
with too many freelancers, granting access to
data and applications, but failing to revoke it?
SaaS technology continues to make it easier
than ever to collaborate. New apps like
Google Drive, Dropbox, and Slack encourage
sharing and make collaboration simple.
While this drives productivity, it also allows
data to flow freely (sometimes outside your
organization) and makes that data difficult to
track down and control.
This new style of workforce and the tendency to
change jobs every few years is a growing concern,
adding complexity to an already challenging task.
1 2Sheer Volume of
Applications
Creates Additional Risk
According to an Intermedia and Osterman
Research report, 89% of ex-employees
retain access to email accounts, Salesforce,
SharePoint, and other sensitive corporate
applications, including some applications
not often considered sensitive but that have
the potential to damage a company’s brand
(Facebook) or bank account (PayPal). And
49% actually log into an account after leaving
the company.
What does this mean for organizations?
• Without a policy in place to prevent
it, ex-employees can usually access
applications and company data.
• Odds are high (over 50%) that if they can
access it, they will.
• Even the most well-intentioned people
will try to leave with company data,
whether it’s on purpose or not.
Preventing access to approved applications
is one thing, but imagine offboarding an
influential employee who worked extensively
with applications IT didn’t know existed? How
would a company get that information back?
They can ask nicely, but that’s about the extent
of their power.
Whether it’s frowned upon, or even
forbidden, employees will rarely place
security above productivity. That’s why
security controls are necessary.
Exiting employees should never take data
or application access with them when
5. info@bettercloud.com | (888) 999-0805 5
3
they leave. This exposure not only makes
companies vulnerable to data breaches,
but it also opens the door for compliance
issues, productivity loss, and potentially
even lost revenue or destruction of
shareholder value.
Data Sprawl Across
Applications
Creates Complexity
Today, data is created at an unprecedented
rate. It’s common for employees to send and
receive more close to 3,000 emails a month.
Executives might receive more than 10,000.
Within days of being hired, an employee
will likely have access to thousands of
company documents. They’ll gain access
to applications, forward emails or share
documents with personal accounts, and
handle sensitive data on personal devices
using unsecured Wi-Fi networks.
For years, executives (and productivity
application vendors) have focused on driving
productivity through increased collaboration.
But the result, when not executed with the full
oversight of IT, is high productivity coupled
with significant security exposures. In other
words, almost zero control for IT.
It’s a multi-SaaS maelstrom, and it makes
processes like employee offboarding
extremely difficult to plan for, let alone
execute, properly.
6. info@bettercloud.com | (888) 999-0805 6
The Top 4 Threats Posed by Improper
Offboarding (and How to Address Each)
Offboarding begins long before an employee’s
last day. Or at least it should.
However, the vast majority of companies think
about offboarding when it becomes a problem,
not before. But what happens if neglect becomes
the only strategy?
The results are potentially devastating. A simple
offboarding error can cost an entire IT team their
jobs, not to mention C-level executives. Knowing
the risks and taking preventative and proactive
actions to protect data won’t go unnoticed,
especially if the complexity and value of those
measures are articulated.
Offboarding is a dirty job, but somebody has to do
it. And that somebody needs to do it right.
Exiting Employee Steals
or Inappropriately
Accesses Company Data
with Malicious Intent
A data breach is likely the first thought that
occurs when discussing offboarding risks.
Afterall, a departing employee is likely to leave a
company on less than amicable terms.
This is called an insider threat, and it’s one of
the most common causes of data breaches.
For companies that want to avoid this threat,
there are many preventative measures that can
be taken, many of which take place prior to
“offboarding” even officially begins.
Here are a few common preventative practices:
Step 1 - Prevent email forwarding and sharing
files to personal accounts.
Offboarding should start begins before it really
ever begins. For most employees, it’s not a big
deal to take valuable information with them
when they switch jobs. Sometimes it’s harmless.
Employees simply forwarding personal notes
or other miscellaneous emails. But other times,
intellectual property is stolen. Even customer
and employee personally identifiable information
(PII) can slip through the cracks. Compliance can
become a major concern. Policies can (and in
many cases should) be in place to prevent this
type of behavior.
Step 2 - Reset shared passwords.
At most companies, and in most departments,
there are common passwords that are used for
shared accounts. These are spread via word
of mouth or made accessible in password
managers. They are often simple to remember.
When an employee exits, they don’t suddenly
forget these commonly known passwords. IT
should take it on themselves to reset these
passwords during offboarding. A password
manager like LastPass can make this process
easier to execute, as well as add an extra layer
of security by enforcing very complex passwords
because no one needs to remember them in the
first place.
Step 3 - Revoke access to all applications.
It should take just seconds, not minutes, hours,
or days for IT to revoke access to applications
as soon as an employee exits. Failure to do so
is a severe concern. An ex-employee with bad
intentions can wreak havoc on purpose. An
ex-employee with good intentions can wreak
havoc by accident. Either way, revoking access
to all applications should be done in a timely
(i.e. immediate) fashion. Be sure to examine
which applications may retain authentication
through OAuth tokens even after a user’s
1
7. info@bettercloud.com | (888) 999-0805 7
password is changed on the account. There are
countless examples (here’s one) of users staying
signed in to applications via OAuth even after
their password has been changed.
Step 4 - Collect and/or wipe data from
devices.
Much like revoking access to applications,
immediately when an employee walks out the
door, company data should be removed from
mobile devices, whether they are owned by
the company or the ex-employee. Without
doing so, a company is vulnerable. There are a
variety of mobile device management solutions
on the market to help enforce a policy here,
although stock solutions like G Suite’s device
management controls are often enough these
days, if your company is not dealing with much
sensitive information in offline files. However,
you still need to automate the execution
of these steps in order to protect against
exposure.
Compliance
Violations
or Breaches of
Confidentiality Due to
Administrative Errors
There are a number of industry regulations and
compliance standards that apply to offboarding,
not to mention the fact that offboarding almost
universally deals with information that’s confidential
to the organization or even to the individual. And IT
is responsible for making all of this work.
To reduce the risk of administrative errors,
compliance violations, and breaches of
confidentiality during the offboarding process,
companies must use technology that enables
them to:
Step 1 - Employ a granular least privilege
model (even outside of IT).
When it comes to compliance, IT should consider
a least privilege approach, meaning anyone in
the organization only has the access necessary
to do their jobs and nothing more. If an IT team
member or other functional role involved in
offboarding (such as HR) does not need access
to the contents of a user’s files, or to certain sets
of sensitive information, then don’t give them the
opportunity to cause harm (intentionally or by
accident) by providing access to this information
simply because they are involved in offboarding.
Stick to least privilege vigorously. This approach
will help companies avoid potential privacy and
confidentiality violations, as well as eliminate
many compliance concerns.
Step 2 - Prevent unnecessary exposure of
sensitive information.
Sensitive information like social security numbers
and banking details are all involved in the
offboarding process. To prevent unnecessary
distribution, regular expression DLP policies
can help ensure sensitive information isn’t
accidentally shared with co-workers (and even
external parties). Situations like these are not only
likely compliance violations, but also lawsuits
waiting to happen.
Step 3 - Ensure your systems leave detailed
audit logs.
If a company is about to undergo a security
audit or is renewing or seeking a security
certification or attestation, offboarding process
execution may be scrutinized. Auditors may ask
for companies to provide detailed records of
the offboarding procedures. These logs should
contain what actions were taken, who took
them, and when they were taken. Detailed audit
logs make this audit process easy, and any lack
of detail is nearly impossible to remediate.
Step 4 - Retain data and create reliable
backups.
In many legal cases and with many service
level agreements (SLAs), companies are
2
8. info@bettercloud.com | (888) 999-0805 8
required to retain data for many years (some
companies retain it indefinitely). Accidental
deletion of accounts or improper back ups will
lead to data loss and potential legal issues. This
isn’t anything any admin or company wants to
experience. Many services are purpose-built to
prevent this from happening.
Step 5 - Wipe only corporate data off of
employee-owned devices.
Mobile device management (MDM), gives IT the
power to remotely wipe devices. Mistakenly,
devices can be wiped of all data, both personal
and corporate. This creates a serious legal
situation if the proper agreements have not
been signed. There are horror stories of IT
admins wiping devices that contain nearly
finished novels or photos of newborns.
Obviously, blame is shared in these scenarios,
but in the end, it’s IT that faces the most scrutiny
and the company that pays up.
Unnecessarily High
Expenses Due to
Unused Licenses and
Unknown Recurring
Payments
Odds are you are paying for licenses and
possibly even applications that aren’t being
used. Whether due to fear of data loss or lack of
time, many companies are stuck in an expensive
limbo when it comes to SaaS license spend. IT
can put policies in place to prevent this.
Whether it’s idle licenses, unused storage, or
devices collecting dust, many of these expenses
are the result of incomplete offboarding
processes. Since offboarding is often a multi-
phase process, the final steps can fall through
the cracks.
Step 1 - Set a threshold on suspended
licenses.
Depending on the application, companies may
be billed for licenses sitting in a suspended
state. A single SaaS application license may
cost a company around $50 a year — not a
big deal. But many companies never clean up
suspended licenses and are simply throwing
away thousands of dollars a month. Companies
should keep tabs on licenses assigned to
former employees. One quick way to do this is
set a threshold on the number of suspended
licenses you’re willing to permit in each given
SaaS application (based on how they bill for
these licenses).
Step 2 - Prohibit employees from using
company cards for unapproved applications.
This is a surprisingly common cost that flies
under the radar. It’s common across many
departments and there is really no easy
answer. A solid solution: Sit with the Finance
team and review every SaaS license paid for
through a company credit card. Then, make
a decision on whether or not IT should bring
unapproved apps under their control or stop
paying for them. If a user goes around IT and
is expensing SaaS apps on their own card,
a simple solution to curb this behavior is to
warn employees that SaaS apps on personal
cards will no longer be reimbursed.
Step 3 - Free up and reassign suspended
licenses.
In most SaaS applications, when you fully
delete a user you are left with a license
that can be assigned to another employee,
and you may or may not be paying for that
license while it’s not assigned. Be sure to use
these licenses first when onboarding new
employees. And some SaaS applications,
like G Suite, even offer special license types
for former employees. In G Suite these are
called Vault Former Employee licenses (note:
this particular license type is only available to
former Postini customers), and reduce license
costs while retaining user data.
3
9. info@bettercloud.com | (888) 999-0805 9
Productivity
LossCausedby
Miscommunication and
Lack of Documentation
When change occurs, business activities are
interrupted and productivity stalls. But the impact
of change caused by offboarding can be lessened.
Step 1 - Document important processes.
While this might not fall under “data loss” or
“offboarding” in the traditional sense, it is
a potential threat that must be considered.
Companies should seek to change the way
employees operate and encourage constant
documentation. This is a top-down issue that
executives (as well as IT leaders) should push for.
Step 2 - Avoid ad hoc scripts and
undocumented automations.
If the employee is in IT and relies heavily on
custom-built scripts to automate certain tasks,
those scripts will inevitably break and require
maintenance. Companies should bring own their
automations, meaning the ability to execute, alter,
and update them should pass seamlessly from
one employee to the next. If not, the employee
can leave a company in a difficult position should
they leave.
Step 3 - Ensure successful file ownership
transfers.
File ownership is tricky when it comes to SaaS
applications like Google Drive, Dropbox, and
others. If important documents are transferred
to the wrong person, it creates a huge
headache for IT and everyone who needs to
access those files.
Step 4 - Handle email with care.
One of the most common points of failure
during offboarding is email. Should the ex-
employee’s entire email be accessible by the
employee’s manager? Or should all future
emails be forwarded to a certain person?
What exactly should the autoresponder say?
How long should an autoresponder remain
active? These questions vary greatly from
employee to employee. The answer is likely a
decision that can only be made through open
communication.
Step 5 - Manage calendars and resources.
When an employee exits, it’s especially difficult
to handle anything related to calendars and
resources. While it might seem small, a booked
resource that goes unused is a wasted expense
and could have been used in a more productive
way. On top of that, if a user is deleted, any
recurring meetings or secondary calendars that
user owns will be deleted as well.
Step 6 - Build orchestrated offboarding
processes.
Too much time is wasted in IT doing
manual, repetitive tasks. If offboarding is
done manually and correctly, it will likely
take a significant amount of time. Admins
will have to go into each application’s
admin console and deprovision a user.
Automating tasks is helpful, but when
they’re compiled together, something much
more powerful is created.
4
10. info@bettercloud.com | (888) 999-0805 10
5 Key Benefits of Orchestrated Offboarding
There’s a misconception that deprovisioning and
offboarding are the same.
However, deprovisioning is just one small aspect
of the greater offboarding process, which is much
more complex than simply cutting off access to an
application. (For example, think about document
transfers, device wipes, autoresponders, inbox
delegation, etc..)
Based on customer research, the offboarding
process for a single G Suite user consists of 28
manual steps, on average.
This manual workload is exactly why companies
can no longer ignore the increasing complexity
and growing number of threats associated with
offboarding. As more applications are adopted, a
more strategic approach is necessary. Fortunately,
platforms built for multi-SaaS environments exist
to help companies manage SaaS applications and
simplify offboarding through orchestration.
But outside of IT, many employees don’t
understand the ROI of orchestration. This list will
help you explain the benefits to anyone.
Reduces Human
Error and Improves
Offboarding Precision
Orchestration and automation remove the
human element from offboarding process
execution, greatly reducing the probability of
error. Additionally, offboarding procedures will
routinely change. The more manual the process,
the more room there is for mistakes. Well-
polished orchestrated offboarding operates with
precision. What needs to be done gets done.
Every time, exactly when expected, without fail.
No matter what.
1
Provides Clean
Audit Logs for
Compliance and Internal
Review
Audits aren’t fun for anyone. Companies fail
audits because of improper offboarding, whether
that’s caused by a lack of documentation or poor
execution. A solution that enables orchestration,
offers a user interface, and ensure every change
and action is recorded makes passing an audit
much simpler. It’s a huge time saver because
companies don’t have to dig into the admin
consoles of a bunch of apps to duct tape audit
logs together. Orchestration also makes it
easier to spot an error should it occur. It’s like
finding a broken link in a chain instead of a
needle in a haystack.
Enables Iterative,
Scalable
Customization that
Evolves as Companies
Change
Offboarding best practices from four years
ago look totally different than today’s best
practices. Technology has forced companies
to adapt. Orchestration enables IT to keep
up with the pace of change by allowing
for iterative change instead of just adding
another step to an already time-consuming
process. Orchestrated offboarding is about
tweaks, as opposed to overhauls. A new step
is just another automated action. It’s simply
an iteration of an existing workflow.
2
3
11. info@bettercloud.com | (888) 999-0805 11
Carries Out Many
Vital Offboarding
Steps in Seconds
Many companies do offboarding 100% right,
however, it takes too long. With orchestrated
offboarding, companies can perform a flurry
of tasks almost instantly. Not only does this
free up valuable time, but it also reduces risks
by performing important security-related
tasks automatically and in quick succession.
After all, every minute an exiting employee
can still access company data is another
minute a company is at risk of a data or
compliance breach.
4 5Offers Simplicity
and Control Over
Offboarding Processes
Offboarding isn’t simple. If it were, people
wouldn’t shy away from it so much. With
more automation, and fewer dashboards
involved, offboarding becomes less
taxing from a documentation and training
perspective. If a member of a team leaves,
a new person should be able to pick
things up immediately. If not, a company
is probably dependent on the capabilities
of a single employee. It must be simpler.
Orchestration is the answer.
12. info@bettercloud.com | (888) 999-0805 12
Case Study:
SaaS Offboarding Orchestration in
the World of High-Tech Venture Capital
The Necessity of Precise and Immediate
Offboarding
“Thirty seconds.”
That’s how much time Ryan Donnon needs
before he can confidently look an investor in the
eye and say: “We’re good. Everything sensitive
is protected.”
That’s effective offboarding.
Donnon works as the IT and data manager
at First Round Capital, a top-tier early-stage
venture capital firm with over $700mm in
capital under management, and 6 IPOs and 92
acquisitions under its belt. Due to the nature
of the business, employees handle sensitive
financials and proprietary information on a
daily basis and thus Ryan understands the
importance of offboarding.
Data simply cannot be publicly exposed.
Mistakes and delays aren’t an option.
“If there’s ever a fire drill and someone needs
to be offboarded immediately, I can’t say to a
partner or a supervisor, ‘It’ll be two hours until
their access is revoked.’”
As a result, Donnon has created a fully
orchestrated offboarding process, which helps
him ensure precision, immediacy, and reliability.
As soon as an employee exits the building,
Donnon’s offboarding process, which takes only
a “couple of clicks” to complete, revokes access
to SaaS applications like Salesforce, Slack, and
G Suite.
Ryan Donnon
13. info@bettercloud.com | (888) 999-0805 13
Eliminating Exposure with Offboarding
Orchestration
Like many IT professionals, Donnon agrees that
the shift to SaaS has produced new opportunities
and challenges. The challenges are particularly
noticeable with offboarding, he says.
“SaaS creates a lot of exposure for me when
employees leave the company.”
Using BetterCloud, Donnon eliminates this
exposure in seconds.
When an employee exits, Donnon “fires off a
BetterCloud workflow,” which does a “bunch
of things” he used to have to remember to do
manually.
“The workflow immediately removes them from
all groups, deactivates two-factor authentication,
resets their password, and revokes
authentication tokens for all of the applications
that the employee has connected to their
account. And most recently, I’ve updated the
workflow to actually deactivate their Salesforce
account as well,” he says. While most of these
steps are relatively simple tasks, each must be
performed immediately when an employee is
offboarded, making the workflow orchestration
a critical value-add.
“I think offboarding, as opposed to onboarding,
is where I have the most exposure. If I mess
up, forget a step and an ex-employee still has
access to company data, that’s where I could
hurt my reputation the most.”
Next, because First Round Capital uses SAML
for most applications other than G Suite, he “kills
the ex-employee’s Okta account,” which “pretty
much cuts off access to everything else.” Donnon
views BetterCloud and Okta as entirely different,
but complementary solutions. “Even if you use
some deprovisioning stuff in Okta, it still can’t
do everything that you need to do that I feel like
BetterCloud really makes easier.”
Most of the typically manual work associated
with offboarding is automated through these
processes. Donnon says that after seeing this
orchestration in action, it’s hard not to say:
“Wow. IT’s really got it together.”
Ryan’s
offboarding
workflow in
BetterCloud
14. info@bettercloud.com | (888) 999-0805 14
Handling the Dynamic Variables
Offboarding isn’t all about cutting off access. Of
course, companies want to take care of physical
access and assets, too. Turning off keycard
access and collecting company devices are
necessary steps that Donnon takes.
But on top of that, exiting employees often
possess information others may need.
Donnon uses a checklist to help establish a
timeline and manage the variables. “Everyone
is going to be different,” he says. Offboarding
a partner, for example, is going to be a much
more complex scenario than an employee who
was in and out in less than six months. How to
handle email is one aspect of offboarding that
varies more than any other.
Leading up to the employee’s last day,
communication, establishing personal
relationships, and doing the upfront “legwork”
are all key, says Donnon.
“You don’t want to be reaching out to people
[to get information you need to fully offboard
them] for the first few months after somebody
exits.”
Ryan’s
offboarding
checklist
15. info@bettercloud.com | (888) 999-0805 15
The Final Steps
For the first two weeks after an employee leaves,
the account is limbo, says Donnon. (G Suite
cannot serve up an auto-reply if an employee is
suspended or deleted.) “I use the BetterCloud
interface to set the auto-reply.”
At the end of the two weeks, Donnon goes into
BetterCloud again.
He takes care of what many forget: recurring
calendar events, which often may be
consuming shared resources like conference
rooms. “If an ex-employee is the owner of
any recurring events, I need to work with
either their manager or the person that
replaced them to figure out who I should
transfer those events to.” If not, this can be an
especially excruciating task to perform after
the fact. “Google does not have a great way
to transfer recurring events from a deleted
user,” says Donnon.
Next, Donnon backs up the account, transfers
all of their shared Google Docs (typically to
their manager), and then, unlike many G Suite
admins, will actually delete their email account.
(Many companies choose to suspend accounts
for various reasons, but deleting a user will
reduce costs, since Google does charge for
suspended users.)
With a standard two weeks’ notice, the entire
offboarding process happens over the course of
a month.
Donnon takes care of his part in a matter of
minutes.
16. A B O U T B E T T E R C L O U D
BetterCloud is the first Multi-SaaS Management Platform, enabling IT to centralize, orchestrate, and
operationalize day-to-day administration and control across SaaS applications. Every day, thousands
of customers rely on BetterCloud to centralize data and controls, surface operational intelligence,
orchestrate complex actions, and delegate custom administrator privileges across SaaS applications.
BetterCloud is headquartered in New York City with engineering offices in Atlanta, GA. For more
information, please visit www.bettercloud.com.
Demo BetterCloud today.
info@bettercloud.com | (888) 999-0805