15 Mar Ghosts in the machine
Do you have a tight onboarding / offboarding checklist you use when hiring a new employee or consultant? If not, it’s likely you have “ghosts” – people who can still access your data, even though they no longer have an affiliation with your company.
Fortunately, most of the time, these people will be “friendly ghosts” who have moved on to a new project or job and who would never dream of intentionally harming your company.
Unfortunately, friendly or not, these ghosts can come back to haunt you.
- They may be costing you extra user licenses.
- Their accounts may become compromised / hacked.
- They could share your insider information with unwelcome outsiders.
- Customers, prospects and partners may not left hanging without receiving responses.
So what should you do? Call Ghost Busters?!
Well, if you can’t get a hold of them, we’re happy to help. Some of the ways we recommend solving this problem is to:
- Routinely conduct an authorization audit. Once a quarter at least, go through all your software profiles and look for users who should have been removed from the system. If you have a high turnover environment, you may want to do these audits even more frequently.
- Document access points. When you give an employee or consultant access to a program, write down what you’ve given them access to. You can put this in their employee file or in OneNote/EverNote – wherever you’ll remember it.
- Set up strict on-boarding and off-boarding procedures. When you welcome a new employee, you can create a strong first impression by having their desk, computer and access ready to go on their first day. Having this checklist does double duty because it will make it easy to also off-board this employee when they leave. Your checklist should include both physical location security and IT security considerations, such as:
- Security codes
- Sales/support workflows
- Shared files
If you do suspect a former employee or consultant is using your data for unscrupulous purposes, you may have legal remedy. Just because you didn’t revoke their access does not entitle them to use your private company information. If you need help setting IT policies and procedures, please contact us!