Login and password

They’re fired, but what about their passwords?

It can be difficult to fire or part ways with an employee. You’re losing a valuable asset if they’re leaving voluntarily, but someone being fired can leave you in a lurch. You have the task of launching a disciplinary process and then holding a meeting at the time of termination. But there are other things to think about. Primarily security and the ex-employee’s access to company data.

It’s important to have a process in place so that whenever a termination or parting of ways occurs, nothing slips through the cracks regarding your business’ security. Here are some considerations regarding passwords and voluntary termination or involuntary termination.

When an employee is let go, immediately change all the passwords to anything the employee had access to. You should have a few days to make a plan and define the process for cancelling access. Don’t make the changes in security before your final meeting and dismissal. Instead, plan ahead and assign someone to disable their passwords during the time you are having the termination meeting. Before the meeting, be sure you have a list of all access cards, keys, etc. prepared so they can be cancelled before the employee leaves the building.

If your company has, let’s say, a Twitter account, you don’t want the ex-employee tweeting through it, so be prepared to change all social media passwords. We mention this because often companies and organizations either forget about these kinds of access or hesitate to change passwords due to hardships that occur and getting everyone access again. Trust us. The effort is worth it!

The possibility of having to lock out an employee may make you consider measures you have avoided so far. Consider a shared wifi password. Do you really want to change it for everyone or is it time to use a managed router and individual authentication?

If someone voluntarily leaves your employment, you hopefully have 2 weeks or so to implement a similar plan as above. Use your best judgement as to whether the soon to be ex-employee will be up to no good during their final days. That is only something you can judge on an individual basis.

Make sure you have a solid data backup and continuity strategy in place. You may need to compare data after the employee is gone to see if any sensitive data was moved or deleted.

We always recommend that you force a password change for immediately surrounding co-workers and consider a company wide reset. You may be unaware of shared passwords. Even though they are not supposed to use each other’s passwords, it may be going on anyways.

Lastly, you should consider pushing a remote wipe to the terminated employee’s BYOD devices from your Exchange server. This should remove only company data and reboot the phone to prevent access. Be aware that you might end up wiping all data from the phone, so you might openly ask them to delete company data on the device while they’re with you in the office. It will make it easier on themselves in the long run.

If you have questions on how to deal with departing employees, give us a call at 309-444-7263. TimbukTech can help you develop an employee termination procedure.


A password is hidden from view

Let’s talk password basics

Worry about your security all you want and keep locks on your data center and have the recommended level of network security available, but it will all mean nothing if your employees are sloppy with their passwords!

Based on data from real-world investigations and compliance management vendor Trustwave’s 2012 Global Security Report, the most common password used by global businesses is “Password1”! This is an unbelievable statistic, and it shows that many administrators don’t understand how to make password-based access policies more robust.

Here are some basic practices that you should require your employees to follow. System administrators should implement other policies, such as those that forbid using passwords previously used and locking accounts after a few failed attempts to login. But let’s take it a step further with these tips.

  • We recommend that companies change out all passwords every 30 to 90 days.
  • Each password should include a of mix upper and lowercase, number, and a symbol.
  • Teach employees NOT to use standard dictionary words (in any language).
  • Don’t use personal data that can be known, or could be stolen: addresses, telephone numbers, SSN, etc.
  • A longer password is a more robust one.
  • Emphasize that employees should not access anything using another employee’s login.
  • Employees shouldn’t use variations of the same password such as changing the number or special character. Hackers know this is a common practice and are using this knowledge to guess the passwords easier.

These are just a few basic password tips, but they can make a big difference in keeping your business’s sensitive data safe.