Minimizing Employee Offboarding Risks

You’ve reached an archived Flexera blog post that may be out of date. Please visit the blog homepage for the most current posts.

Employee Retention is a big deal, perhaps now more than ever. Not just the re-training and the loss of long-term IP, but as anyone who’s had a rockstar developer or sales executive (or content marketing maven) has known for a while, employees  offboarding is a real risk!

Previously, we’ve discussed Security and Phantom ITand procedures for establishing SaaS policies, so now we’re going to talk about an example where those concepts come together in the real-world –  why you must have an adequate employee offboarding procedure.

We can’t afford to let the double whammy of losing institutional knowledge and investing in new onboarding costs turn into a triple exacta with actual IP leaks to competitive or even “partner-like” companies – especially given the comparative ease of data transfer via API. And with the loss of direct access to that employee’s knowledge, it’s in your best interest to know where all the work that they have done for the company resides, and how to get at it.

So let’s discuss some of the risks associated employee offboarding in the age of cloud computing, and then a few policies you can bring on board to better secure your enterprise.

Employee Offboarding Risks

Superusers – Thankfully, the risks associated with superuser accounts has diminished quite a bit this decade (in no small part thanks to the cloud), but still there is a lot to be learned from what they were, why they existed, and the risks they create.

Superusers were, historically, system level administrators who had, literally, the keys to the server and all the software and databases and processes therein. This was a necessary central function because often you couldn’t tell what exactly had broken, and most of the time it had less to do with how one part of the system was behaving than with how multiple parts of the system were communicating with one another. And things broke all the time. ALL THE TIME.

But now, technology has been more streamlined, communications between services is more standardized and, aside from the typo that brought down amazon S3 last week, we don’t see as much catastrophe.

But within any smaller domain you might still have superusers of a sort – the digital marketing manager likely has admin level access to most of the marketing automation, blogging, digital asset management, website and even the bots on your site. And this is a good thing – they know what each piece does and they know what is at risk when he makes changes. There is likely someone in the finance area with the same level of access to the ERP, and definitely a few CRM admins in sales. But if the bus hits, what are those passwords, and how do you recover access?

Specialists – Folks who are mid to senior in the organization likely have built a few legacy methods around their career, and are resistant to change. I recall one company moved everything over to google – email, calendar, docs – and it was glorious. But then a few execs made them re-install outlook so they could use it for calendaring. This also applies to folks from an academic background who may be used to one specialized platform over another.

Your goal should not be to force these very key members of the company into doing things your way, but to be aware of the “extra-sanctioned” tools that may come along with specialists, and document access and recovery.

Everybody Else – I, of course am a model employee who prefers to use the tools provided, and never wants access to parts of the system I don’t understand. Nevertheless, there may be valuable information locked away from the company’s access through no maliciousness. For example – I make a lot of trello boards to experiment and get thoughts in a row for new processes or endeavors. If I deem the board useful I then share it with the team. But if I were suddenly not there anymore, how could they access the value of those iterations?

Best Practices for Reducing Employee Churn

The best thing you can do is to reduce your companies churn. One thing we know doesn’t work is “the floggings will continue until morale improves.”

Often times “job security, positive job environment, professional growth” are cited as the important drivers in job satisfaction. I prefer to think of it a little more humanly – good relationship with the boss, good relationship with co-workers, and a sense of mission. That’s more important to me than money.

So if someone measures as a net loss risk, find another leadership structure for them, or put them in a more compatible group, or make sure their projects are important AND interesting.

Second institute a company SaaS policy that includes a higher sense of awareness towards mission critical systems and IP, including

  • Documentation of privileged credentials, with appropriate forced periodic high security password changes
  • Segregation of privileged passwords to reduce multiple system breach
  • A process for quickly updating all credentials in the in the instance of a breach

Third, talk, and listen, to your employees. In this age of switching careers, and the rapid automation of workplace, people’s BS meters are very sensitive. You can’t just say “throw your hands in the air and wave them like you just don’t care” and expect that everyone who waved is on-board. They want to be team players, probably, and their goals may sync-up with your goals, but that doesn’t mean they’re not open to something better.


The availability and use of dozens of SaaS or Cloud systems by employees in your organization demands that you properly identify and catalog all apps that are in use, not just the official ones, so that you can properly mediate employee offboarding risks.

Are you able to manage the cost and security risks associated with your SaaS applications?

Download the Essential SaaS Management Toolkit to learn about SaaS usage trends, understand the importance of SaaS management tools and discover how to take control of your SaaS applications.