A poorly handled employee termination can create a slew of security risks. That's why CIOs and CSOs need a process for letting workers go.
Ian Cheeseman is president of LVA Communications, a small public relations consultancy headquartered in Connecticut, with subsidiary offices in New York City and Silicon Valley. But earlier in his career he was the data-processing manager for a municipal insurance company - a fact that may have something to do with one of LVA's employee termination procedures.
LVA is a contractor to its string of high-tech clients, and consequently its employees are routinely granted high-level access to its clients' systems. "With most of our clients, we can get in behind the firewall," Cheeseman says. "But we've noticed that while companies may be diligent about blocking access for their own former employees, they often don't seem to have a system for dealing with contractors' employees. If someone at a contractor left, the client company might not find out about it for months - if at all." So when a worker leaves LVA, the company is proactive about communicating that to affected clients. LVA collects items such as contractor ID badges as a routine part of the termination process. As soon as the employee has left, says Cheeseman, LVA's human resources administrator telephones the client companies on whose behalf the individual in question worked. "Then we follow up that call with an e-mail so that there's a paper trail," he adds. "The message is quite specific: 'This individual has left our employment and should no longer be allowed access to your premises or your data.'"
After a spate of well-publicised incidents where former employees wreaked havoc after gaining access to companies' systems - and premises - the security processes for employee terminations ought to be nailed down hard and fast by now. As every new breach makes clear, though, that's simply not the case. It's not as if the task is a difficult one; updating passwords and retrieving access cards is hardly rocket science. But it's no mystery why it just doesn't get done in a thorough manner. Firing or retrenching an employee is an uncomfortable experience that even highly professional line-of-business managers would rather not think about. The result? From the security perspective, the process of firing people is often a mess. As Joe Magee, former CSO of Top Layer Networks, says: "When terminations happen, there's often considerable chaos and a lot going on. It's easy for things to get overlooked and for security measures to take second place."
But by pulling together a thorough, documented, humane procedure for employee terminations, you can help make the process easier - though not painless - for all involved, protecting the physical and digital assets of the company as well as the dignity of the departing employees and their supervisors. Here's some advice, garnered from experts, on aspects of the process frequently overlooked or misunderstood.
Absence of Progress
How widespread is the lack of clear thinking on this subject? Hard-and-fast figures are scarce, but Margaret McCausland, a partner in the Employment/Benefits/Labour practice of national law firm Blank Rome, estimates - based on the calls she gets from clients - that roughly 50 per cent of companies with 50 to 100 employees have adequate procedures in place for letting people go. With larger companies, the figure improves - climbing perhaps closer to 80 per cent. However, McCausland says that even for those with some kind of documented process, confusion over "the right way" to do the job actually creates more problems.
For an example of a common, yet inadvisable procedure, McCausland says look no further than the practice of ushering departing employees off the premises. Far from preventing people from stealing data or lashing out in some other manner at their former employers, this process might actually be encouraging them. "Employers sometimes ask me: 'Should we escort people out?' And I say to them: 'Why? Are they going to damage something on the way out? Or steal something? No. Treating people like a suspect is more likely to cause them to retaliate."
"Treating a terminated employee as a serious security risk - by escorting them out of the building under guard, for example - increases the likelihood that they will be a danger," agrees David Creelman, chief of content and research at human resources management portal HR.com. "Terminated employees don't have guns to pull at the termination interview. But if they feel betrayed and humiliated then they may go home, get a gun and come back. Most companies overreact on security. They march good people out the door under security escort, which simply damages morale in the company and greatly enhances the likelihood of a wrongful termination suit or other retaliatory action."
Top security executives chime in as well on this point. "You probably are asking people to retaliate," says Grant Crabtree, vice president of corporate security at Alltel, an $US8 billion telecom service company. "Under some circumstances it might be warranted, but it would have to be exceptional for us to do that. I think many of my colleagues would agree."
McCausland says existing termination policies frequently focus on things that touch only peripherally on security issues, if at all. Instead, their focus is often on avoiding unfair dismissal suits and the like. "Companies have become accustomed to lawsuits and litigation when terminating people and now think ahead and say: 'Should I terminate this person? And if so, how do I terminate them?'," she says. "But beyond that, they often don't think very far ahead at all."
Disabling information systems access is another area that a good policy should spell out clearly. "It's one of the great missed opportunities in security," says Giuseppe Cimmino, director of corporate systems architecture at Discovery Communications, the parent company of the Discovery Channel, Animal Planet and The Learning Channel. "Security consultants focus on the bits and bytes of firewalls and not on the accounts that remain provisioned for people who don't exist." Once again, hard evidence is scant, but what evidence there is certainly supports Cimmino's assertion. A survey into corporate identity management practices, published jointly by Novell worldwide services, Stanford University and Hong Kong University of Science and Technology in March 2003, found that 43 per cent of companies surveyed took more than two days to revoke the access rights of departed employees - and that 15 per cent took more than two weeks. Incredibly, some businesses appeared never to revoke access rights at all.
As in McCausland's anecdotal experience, smaller companies did indeed perform worse in the survey: 54 per cent of companies with fewer than 10,000 employees reported a lag of more than two days, while just 32 per cent of companies with more than 10,000 employees reacted as slowly. And European companies reacted more slowly than did North American or Asian companies: More than 20 per cent of European companies took two weeks or more, while just 10 per cent of North American and Asian companies reported taking as long.