Linda Tucci’s story on SearchCIO.com today on disabling accounts after employee layoffs and the security risks “orphaned” accounts can pose if not properly closed out was a timely one, of course. I’m actually sort of surprised we’re not seeing more stories about disabling employee accounts, considering November saw the loss of 533,000 jobs in the United States, and December layoffs might be just as bad – or worse.
If I may try to add some levity to the situation, the “orphaned accounts” story (particularly the line about one person who was still on the payroll six months after being terminated) reminded me of the first minute from this infamous clip from the film “Office Space.”
Now, I don’t think anybody would question that there are risks associated with leaving employee accounts open following layoffs. When you’re laying off IT folks, it’s even riskier, according to Tucci’s story, since these individuals “usually have the keys to the kingdom” and could wreak absolute havoc. Hmmmm, reminds me of a little IT hack incident earlier this year in San Francisco you may have heard about.
Unfortunately, I think the points touched upon in Tucci’s story might strike a cord with a lot of the people who read this blog – I know they struck me, both on a personal and professional level. It seems unnecessary to immediately disable the accounts of 99% of laid-off employees who wouldn’t dream of downloading sensitive company information. They might have downloaded a picture of a grandkid on their work computer, or may have even been in mid-email when their access disappeared. Yes, their computers belong to the company, but shouldn’t these employees have an opportunity – even if it’s brief and monitored by current staff – to recover those items? I believe so.
Precluding former employees’ access to their contacts and working documents with little or no warning could be bad for the business, too. Particularly if a company is laying off longtime employees who might have hundreds of contacts built up in Outlook, or have files that would be useful to others in their organization. If the employee is immediately locked out, then recovering and piecing through that business information is likely to be a lot more challenging for remaining co-workers.
And yet … I sure wouldn’t want to be the head of IT in a company that took a lackadaisical approach to disabling employee accounts after layoffs and was burned by one of the 1-percenters who caused problems in the system.
So for any of you with experience in layoffs: Have you gone with immediate system lockout, or ever considered a less drastic approach (for the reasons I cite above, or others)? Do desperate times call for Draconian measures, or is there room for a more personal touch?