Leaving your job? Here’s how to protect yourself and your employer’s data

Job (literally) done? Not quite. Before your last day, you need to decide what to do with all of your corporate accounts and devices.

Why it matters

You might be thinking: “Why do I need to do anything?” After all, if you leave and something goes wrong, it’s not like it’s your responsibility, right? Wrong. We all bear some responsibility when it comes to security, and figuring out the best, most secure action for all of your work-related hardware and passwords has its merits.

• Taking the correct steps will help you maintain a good relationship with the company. Because who knows – you might want to work for them again someday.

• It will protect your former employer from data breaches. The average cost of a data breach rose to $4.24 million in 2021, according to IBM’s annual Cost of a Data Breach Report.

• Your former co-workers will appreciate it. Wiping your devices and securely transferring important accounts will make their lives just a little bit easier.

• You won’t accidentally take corporate data to a new employer. Taking secrets of any kind to another company can land you in all sorts of trouble.

• It will give you some peace of mind. You can move on knowing that you’ve done everything possible to keep criminals out of your old work devices and accounts.

Now, let’s dig into what you should be doing before your last day.

Check your employer’s policies

Leaving a job in a secure manner should be a joint effort between you and your soon-to-be-former employer. For example, your company should have a plan in place for all departing team members. The process might be documented in an employee handbook, a Google Doc, or a platform like Notion or Confluence, which give companies an easier way to organize and share important knowledge with team members.

Some companies will also send instructions via email after you’ve submitted your notice of resignation. If you can’t find anything in your inbox, check that it wasn’t sorted into a spam or junk folder by mistake.

Found some instructions? Then follow them to the best of your ability, and reach out to your manager or IT department if you have any questions. Remember: the process should be a partnership, not something that you do entirely on your own.

If you can’t find any written guidance, talk to someone at your company and explain the situation. You should then draw up a plan together that looks something like this:

Tackle your accounts

The first step is to deal with your work-related accounts and credentials. The process will vary depending on whether your company uses:

• A single sign-on (SSO) service like Okta, JumpCloud or Rippling
• A password manager like 1Password
• A combination of the two
• Neither

Let’s start with the first three options.

If your company uses SSO and/or a password manager

The first step is to get a complete overview of your accounts. You can do this by logging in to your SSO dashboard, or by opening up your company password manager. If you have both, work through the accounts covered by your SSO provider first, then the credentials stored in your password manager.

For each account, you’ll want to take one of three actions. Before you commit to one, run it past your manager or an IT specialist at your company, so they’re aware and can confirm it won’t break any policies.

1. Transfer the account to a coworker. You might be the only person who knows the password to your company’s Facebook page. Or have a license for an application that someone else might find useful.

The easiest and most secure way to transfer an account is via an enterprise password manager. 1Password offers vaults, for instance, that work like shareable folders – all you need to do is move the associated password into a vault that your colleague has access to.

2. Close the account. If your company uses SSO, you might be able to do this from your personal dashboard – otherwise you’ll need to ask your IT administrator for help.

Before pressing delete, check if the account contains any files or projects that should be passed on to one of your co-workers. For example, if you use Google Docs, look through your private documents and share the ones that other people might find useful. It will be easier and more convenient than trying to give multiple people access to your Google Workspace account.

If you can’t close your work-related accounts, ensure they’re protected by strong, unique passwords and, where possible, two-factor authentication (2FA). Then sign out of them on every device that you own. Taking these steps will make it harder for cybercriminals to break into your old work accounts and access confidential information.

3. Hold on to accounts that are okay to use in a personal capacity. You might have one or two accounts that are tied to your job, but are safe to use long after you’ve left. A web-based portal that lets you download old payslips, for example. Or a lifetime subscription to an app like Calm, Headspace, or Duolingo.

Ask your employer if you’re unsure what’s safe to hold onto. They’ll appreciate your honesty and stop you from making a decision that could cause problems later on.

If your company uses a password manager like 1Password, you should also sift through everything else that you’ve saved – like credit card numbers and important documents – and decide what to move, delete, and make a copy of.

If your company doesn’t use SSO or a password manager

Don’t use SSO or a password manager at work? Then you’ll need to rack your brain and draw up a list of accounts the old-fashioned way. (If you’re struggling with this, imagine a typical day at work and note down all of the apps and services you would use before clocking off.)

Once you have a full list, go through it and decide what to do with each account. Your options are the same as the ones you would have if your company used SSO and/or a password manager: transfer the account to a coworker, close the account down, and hold on to the account provided it’s safe and appropriate to do so.

Without a password manager, you’ll need to find another way to safely transfer account credentials to someone else. Talk to your manager, or someone from the IT department, and come up with a solution together that will be both secure and convenient for everyone involved.

Hardware

Work-related hardware can be split into two categories: company-issued devices, and anything that you’ve supplied yourself – an increasingly common policy that businesses refer to as Bring Your Own Device (BYOD).

If your company has provided you with a PC, laptop, phone, or tablet, you should try to return it.

First, check whether the device has any personal files that you want to keep. These could include a copy of your resume, or a headshot photo that was taken in the office. Just be careful not to transfer, share, or make a copy of any business-related data – because in many, many cases you’ll be breaking the law. If you’re not sure what’s okay to keep, stop and ask your company for guidance. Because as the age-old saying goes, it’s better to be safe than sorry.

If they say yes, follow these guides to wipe or factory reset your devices:

• macOS
• Windows
• Linux
• iOS and iPadOS
• Android

If you don’t have permission to wipe your device, ask your employer if it’s okay to manually delete your work-related files and software. You should also consider whether any of this data should be copied and shared with a co-worker before it’s removed from your own work device.

Finally, return any keycards and key fobs that you used to enter company-owned facilities. If you can’t give them back, dispose of them as securely as possible. For example, you should cut up your keycards before throwing them into the trash can, just like you would for an expired credit card.

Personal devices (BYOD)

If you’ve been using your own laptop or phone at work, it likely has a mixture of personal and business-related files. Go through your local storage and decide what if any data should be transferred to a colleague before your last day. Then do your best to remove any apps and project files that are related to your current job.

You could wipe your device, but for most people this just isn’t practical. If you’re sensible and go through your files in a slow and systematic fashion, you’ll be able to find and erase any work-related content that you shouldn’t retain ownership over after leaving.

Share your contact details

You’re now in good shape. But before you leave, make sure that you leave some contact details with your soon-to-be-former employer. It’s helpful for an IT admin should they have a security-related question or find an account that requires you to take action.

Similarly, you should have a point of contact at the company. Why? We’re all human and occasionally make mistakes. You might forget about an account that needs to be revoked by an IT admin. Or suddenly remember about a USB stick that you left in an office meeting room. If you have a point of contact, you can quickly notify them and fix the problem before a cybercriminal is able to find and exploit it.

Enjoy your last few days

Closing accounts and erasing devices might not sound like a fun way to spend your last few days at work, but trust us, it’s worth it.

Follow this process and your soon-to-be-former employer will be incredibly grateful. It’ll minimize the possibility of a costly and embarrassing breach, and make life just a little bit easier for everyone you used to work with. It’s not just a nice thing to do, it’s the right thing to do.

In addition, it’ll help you leave your job with some well-earned peace of mind. You’ll move onto the next chapter of your life with a clear head, knowing that you’ve followed best practices to secure your old work-related accounts and devices. That, in turn, will give you the best possible start for whatever you’re planning to do next.

Nick Summers

Content Marketing Manager