Offboarding
Erin Geiger, Director of Content at Lumos

Removing Access for Terminated Employees

Offboarding employees is an important part of doing business; learn how automating the process can increase efficiency and minimize risk.

Table of Contents

No matter how much due diligence a business leader undertakes, hiring is an imperfect process—meaning employee terminations are, unfortunately, part of doing business. For many managers, letting employees go (no matter the cause) can be a stressful experience—and it can impact other employees’ morale if not undertaken with the proper respect and care, not to mention the organization’s own cybersecurity posture.

Now, think for a moment about the fact that the average enterprise-level organization uses over 1,000 different applications. When an employee leaves (or is made to leave) the company, it’s important to ensure that their access credentials are properly managed in order to reduce security risks. This article will answer some common questions about what to do after an employee is terminated and outline a few best practices around removing access—including how employee offboarding automation can benefit your organization.

Why Do You Need to Be Careful in Terminating an Employee?

While the threat of a terminated employee retaliating against the organization that let them go isn’t necessarily non-existent, it’s not the main reason companies need to be careful about how and why they terminate employees. The more common and significant reason relates to legal risk—more specifically, the legal rights of the terminated employee. As outlined by the U.S. Department of Labor, these rights include:

  • The right to opt into group health plan benefits for a set, limited period of time,
  • The right to unemployment benefits (provided the employee is “unemployed through no fault of their own” and meets other eligibility requirements), and
  • The right to collect unemployment insurance payments for temporary financial assistance in accordance with applicable state laws.

Of course, it’s also important to note that employers are legally prohibited from discriminating against—or terminating—employees “on the basis of age, race, color, religion, sex, ethnic/national origin, disability, and veteran status.”

What Are the Steps for Terminating an Employee?

There are 5 main steps involved in terminating an employee, as laid out by ADP. These include:

  1. Documenting Employee Issues: Organizations should have policies and procedures in place for documenting employee issues over the course of their employment, as a matter of recordkeeping. This way, when tough decisions need to be made about employees’ tenure with the company, there is a historical record of documented performance or behavior issues—and employees will be less likely to feel targeted, or like their termination is unwarranted or unfair.
  1. Providing Coaching/Growth Opportunities: Most organizations prefer to retain existing talent, since it’s been proven to be much more cost-effective than having to constantly attract, recruit, and onboard new employees. Well before possible termination is on the table, employers should work with employees to remedy any issues in a timely and constructive manner. While nothing is foolproof and people are unpredictable, taking the time to understand and work with a struggling employee might just turn things around.
  1. Creating a Performance Improvement Plan: If an employee’s primary issues are related to their performance or productivity, a performance improvement plan could be the answer. This provides employees with clear expectations for their performance, with measurable and meaningful milestones for improvement. These plans usually provide employees with a set period of time to make improvements, anywhere from 30 to 90 days.
  1. Terminating the Employee: If coaching and a performance improvement plan don’t warrant the expected results, then termination may be inevitable. At this point, however, if the employee has been clearly communicated with throughout the process (including their receptivity to coaching and performance improvement), their termination should not come as a shock and can be handled professionally. It’s important to be straightforward and direct, so there are no misunderstandings that might lead terminated employees to hold any grudges against the company.
  1. Conducting an Exit Interview: This final step provides the employer and employee with a final opportunity to address concerns and tie up loose ends. Typically, these interviews will be conducted by HR and/or leadership, and help to ensure that the employee fully understands why they are being terminated, and what happens next. 

What Is the User Access Termination Process?

The user access termination process primarily addresses the practical or technical aspects of employee termination, including revoking their access to sensitive information, systems, and applications. While this isn’t always a set, linear process, it’s common for an organization’s employee termination process checklist to include, at a minimum:

  • Collecting any physical access controls, such as employee ID cards and keys.
  • Disabling any biometric-based access controls, like fingerprints or facial recognition.
  • Disabling network access by deactivating user accounts and passwords and/or telling systems to reject their credentials.
  • Monitoring systems for unauthorized access after termination, and taking appropriate actions to keep sensitive information safe.
  • Removing email accounts and remote access, to ensure that company data is effectively safeguarded.
  • Reclaiming company-owned property, such as laptops/tablets.
list of termination process steps when removing access for terminated employees
Six steps to consider when removing access for terminated employees.

What Are Data Access Control Best Practices?

There are several subcategories or types of data access management controls employers use to keep their systems and data safe, particularly when offboarding terminated employees. These include:

  • Creating, implementing, and monitoring effective access control policies—including an access termination policy. This is an internal set of regulations and procedures for granting (or denying) access to specific data and systems, and are often user- or role-based. While creating these granular guidelines can be difficult at first, they will set an essential foundation for maintaining security—which is also upheld by…
  • Applying The Principle of Least Privilege. This basic concept emphasizes the importance of advocating for minimal—not maximal—access privileges based on a user’s role, effectively minimizing security risks such as data breaches.
  • Utilizing Multi-Factor Authentication (MFA). This common feature provides an extra layer of security, requiring users to present at least two different forms of authentication. In addition to basic passwords and PINs, this can include device-specific authentication or security questions.
  • Regular audits and reporting. Access controls are not a “set-it-and-forget-it” type proposition. Instead, they require vigilant auditing and reporting to ensure that effective security is maintained without preventing authorized access to sensitive data and systems. Organizations should regularly test their access controls and evaluate their effectiveness, making updates or enhancements as needed.
  • Defining and implementing Role-Based Access Controls (RBAC). These specific controls help organizations to fine-tune their access controls—not just by defining roles but also by considering role hierarchies and separation or segregation of duties. The more clear these controls are, the more effective and dependable they will be.
  • Enhancing Identity and Access Management (IAM) capabilities, and creating rules/policies for granting and managing temporary access/privileges. These activities help to ensure that the right people have the right access at the right time—and those who shouldn’t have access don’t.

What Is the Procedure for Removing Access for an Employee When They Leave an Organization?

Removing access in a timely and effective way is a vital component of the employee offboarding process, no matter the terms by which the employee is leaving the organization. Even if you don’t suspect a terminated employee might maliciously access or compromise the company’s data/systems, security vulnerabilities may still exist. This underscores the importance of the following IT termination checklist related to employee access:

  1. At the time of termination, you can promptly begin the access removal process. This includes the most obvious points, like disabling employee accounts, revoking access privileges, and collecting any company property (including physical credentials).
  1. Next, you’ll want to perform a careful audit of all user accounts and credentials. Based on the employee’s current and past roles, create a complete list of all access types and then you can deactivate, disable, or reassign these one-by-one. 
  1. Once the access audit is complete, it’s a good time to review all security protocols to ensure that they are all up-to-date, working properly, and unable to be bypassed or exploited. If necessary, an organization can change certain encryption keys, adjust their firewall rules, or undertake similar actions.
  1. This is also a good time to process any returned employee equipment and credentials, making sure everything is properly disabled or deactivated.
  1. Depending on the employee’s role, you may also need to communicate with colleagues, as well as external partners, about the change. If the employee had shared any access or credentials with these parties, they should be reset.
  1. Throughout the termination process, documentation should be maintained, primarily to help ensure legal and regulatory compliance as well as accurate recordkeeping.

Can Employee Offboarding be Automated?

Yes! With the right software, many employee termination process steps can be automated. With Lumos, it’s like you have auto-pilot—you’ll have intuitive tools for creating highly effective user onboarding and offboarding processes that leverage automation to save valuable time and reduce the chance of human error.

Once configured, Lumos makes one-click offboarding a possibility, for SSO as well as non-SSO apps. That way, when an employee leaves you can easily find their accounts and remove all access with a single click. Far from being a one-size-fits-all-prospect, you can configure advanced actions for enhanced offboarding workflows, including transferring user data to managers or wiping all session tokens.

Using Lumos, organizations can configure their ideal offboarding process, and automate key steps like:

  • Initiating the offboarding process, based on triggers such as status changes, end dates, or custom API calls.
  • Revoking access to all company-managed systems, including email and internal applications.
  • Recovering data/assets through automated workflows for data transfer/management, as well as automatic delegation of manual tasks.
  • Managing software licenses, including tracking how apps are allocated and how access controls are updated during times of transition (or role changes).

What Is Always Required When an Employer Terminates an Employee?

A vast majority of states (all except Montana) are considered at-will employers, meaning either party—the employer or employee—can choose to terminate the employment relationship for virtually any reason (except an illegal one) without fear of repercussion. 

Despite the “at will” phrasing, the employer should still have a justifiable reason for terminating the employee, as a matter of decency. Outside of that, other requirements include receiving a final paycheck and being provided with the opportunity to purchase continuing health insurance coverage (such as COBRA). Depending on the circumstances, severance pay and/or unemployment compensation may also be on the table.

For a more in-depth understanding of the laws at play in your state, this Paycor article provides a good resource for reviewing specific termination requirements by state.

How Do You Legally Discharge an Employee?

Even if you’re in an “at-will” state, there are certain legal requirements for discharging an employee, largely based on whether they are being terminated for poor performance or what’s considered “without cause.”

How to Terminate an Employee for Poor Performance (With Cause)

The key to avoiding legal exposure when terminating an employee for poor performance is documenting performance issues so you can justify the termination. Employees should be given a chance to improve their performance, through coaching and/or a performance plan, as well. Finally, when discussing termination with the employee, keep the conversation tied strictly to their performance, to prevent them from feeling unfairly targeted.

How to Terminate an Employee Without Cause

A bit of a misnomer, terminating an employee “without cause” doesn’t exactly mean there isn’t a cause for letting them go—it just means that reason is tied to something other than the employee’s performance (or something similarly within their control). Instead, the company might be undergoing a reorganization, a restructuring, or simply downsizing, for example. Similar to the points described above, when terminating an employee “without cause” it’s just as important to be respectful, straightforward, and supportive.

How Can HR Help Employees Who Are Terminated?

During termination proceedings, HR generally serves as a neutral third party—but that doesn’t mean they can’t also be supportive throughout the process. HR’s specific role typically centers around keeping things professional, productive, and legal, and to help to promote clarity and understanding between the employer and employee. 

For example, this can include answering any questions the employee has about the reason for their termination and advocating for their rights. Ultimately, the biggest role HR plays in employee terminations is to keep discussions civil, professional, and respectful of all parties involved. And when HR conducts exit interviews, those conversations are meant to be learning experiences for both sides of the table.

Employee Offboarding (and More), Made Easy

Even within the longest-established and best-run companies, employee turnover is, unfortunately, an inevitable part of doing business. What doesn’t have to be inevitable, though, is for employee offboarding to be inefficient, disruptive, or fraught with security risks. Using a platform like Lumos can transform virtually any stage of the employee lifecycle from efficient and comprehensive onboarding through low-stress, automated offboarding. Learn more about how employee onboarding and offboarding processes can be improved with Lumos by booking a demo today.