Secure on- and offboarding with Microsoft 365

Security during onboarding

In an onboarding process, it is important that there are clearly established frameworks for what the new employee should do - something that is reflected in the permissions he or she should have in the various systems. The devices that the new employee is assigned should also be secured from the start and set up in such a way that it should not be possible to "make mistakes" - to save data on a local disk, for example. Something that can be ensured in Microsoft 365.

The new employee should also be given immediate access to and the opportunity to accept various IT policies. This is something you can ensure, in connection with the first login, through special settings in Microsoft 365. The user must therefore accept the policy in order to use the account. In addition, the moment when the new employee accepted the policy becomes traceable. The policy document can also be updated with an automatic request for the account user to accept the new conditions. All this ensures better behavior in relation to company data and that the new employee works correctly from the start.

Managing employees' personal data in accordance with the GDPR

Prior to employment, it is also important that the information about the new employee is handled securely, as it involves personal data and, in some cases, particularly sensitive personal data. With Microsoft 365, for example, the new employee can fill out a form with this information that ensures that only authorized people in each department have access to different data - some parts to IT, others to HR, and so on.

This is, of course, an important part of the work with GDPR compliance, but it is also a major streamlining as this way you do not have to handle several different forms for the new employee's tasks that may otherwise need to be established for each department to receive the right information. In the common form, you can also add checklists to ensure that all necessary preparations from each department are made before the employee starts. The form can also be set up so that the data that must be stored for a certain number of years cannot be deleted within that time frame - so-called legal retention. This further contributes to GDPR compliance.

Safety during offboarding

So what happens in an offboarding, when someone is leaving? From a security perspective, it is of course important that access to all the systems and files to which the employee has access and rights should be shut down at the same time. Therefore, in Microsoft 365 you can initiate a coherent offboarding process that then automatically triggers certain actions in the various parts of the business that are affected. Everything from notifications that the key card should be deactivated to clearing OneDrive and mailbox. Things that are otherwise often forgotten in the process because there are not enough clear processes for it.

Even the deletion of the employee's data during offboarding must be done correctly. Otherwise, there is a risk that in the event of a personal data request, you will have to search for and forward a very large amount of data. This requires time and resources, which can be costly depending on how much data is available. Of course, it is also important that important information that must be saved does not disappear in cases where someone leaves, and even on these occasions you can set up special data for legal preservation.

Sometimes people who are leaving are interested in taking business information from their current workplace to their next one - price lists, customer data, quotes, etc. Often this information is transferred from the company to a USB stick, private cloud storage account or email. But in Microsoft 365 this is traceable and you can also set alarms for activities associated with this type of file transfer. It is also possible to set up that a certain type of data, at least from a technical point of view, cannot leave the organization.

A lot of company data is handled via mobile devices and it can be important that these are not linked to private accounts so that the information cannot be leaked. Are the unit is linked to a business account you can take control of the device and wipe its data in case of offboarding or if it is lost or stolen. It is therefore important to protect the company's resources by being able to control permissions and get indications if something irregular is happening. From a GDPR perspective, this is also important because all personal data must be protected and traceable.

Think processes, not silos

It may seem backwards that on- and offboarding processes are based on IT rather than HR. But instead of working on the basis of which department does what, you should think in terms of processes. Information must be able to flow freely between departments in order for processes to be consistent. Working in our departments' respective silos creates long waiting times because we have to work on one thing at a time and not in parallel with each other. It also increases the risk of errors or missing something.

So, what is the dream scenario for your on- and offboarding processes? How do they happen in the most efficient and secure way and how can you automate them? The possibilities are there, but are you really embracing them?

At WeSafe, we can help you create consistent, efficient and secure on- and offboarding processes just by leveraging your existing licenses for Microsoft 365. Want to know how? Contact us here!