​COMPANIES THAT MUST terminate a key IT employee face challenges not present during other types of firings because those workers control access to critical data. Managers must know how to end the working relationship while minimizing the potential for the departing employee to take retaliatory action against the company’s critical systems and information.

To prepare for and conduct the termination of a key IT employee, companies should follow a five-step process. Managers should analyze an employee’s access and motives. Then, managers should develop a mitigation plan, conduct the termination, and deal with the aftermath.

Before elaborating on the five steps, let’s look at one example. A small biotech company in the Midwest had one employee who was in charge of administering its IT network, phone system, and Web site. The employee, whom we will call Jack, was verbally aggressive to coworkers and executive staff. His work performance declined over the course of his employment, and he did not respond to counseling efforts.

During one meeting he threatened that the company could not fire him because he “held the keys to the kingdom” and could bring the entire computer network down. Management also suspected that Jack was reading all the e-mails to and from executive staff, making disciplinary measures difficult.

When the decision was made to terminate Jack, the managers brought in an outside security consulting firm to assist in the process. The consultant followed a multistep termination process to help the company prepare for the termination of the employee. The multistep process was handled in secrecy.

One complicating factor was concern that the information about the consultant’s activities would get back to Jack. Another complicating factor was that no one other than Jack had administrator access passwords or a thorough knowledge of the IT system. In addition, Jack had established himself as the only representative authorized to speak with Web site and e-mail hosting vendors. Working around these issues, the consultant tried to ensure that the company would be protected from anything Jack may have planned to harm the company in the event of his being fired.

The evidence revealed that the careful planning was justified. The consultant found that Jack had created three back door remote access points; they were identified and removed. Still, within hours of his termination, the network came under attack. Numerous intrusion attempts were identified and thwarted. Thanks to the preparations, however, the company was unaffected.

Access Analysis

The first of the five steps toward preparing to terminate a key IT employee is access analysis. Through this process, the company determines how the employee gains physical and electronic access to the work environment—such as through access cards, keys, ID cards, or safe combinations. Also critical are the security controls, such as audits, that are in place to document this access. Another issue is who has the ability to change or remove these controls.

As was the case with Jack, it’s also important to determine whether the employee is a point of contact or an administrator for certain systems, accounts, and vendors. If so, the company must ascertain how the employee accesses these systems—via office phone, cell phone, or e-mail—and whether the employee does so outside of work.

Based on the answers to these questions, managers can implement a plan to eliminate or deny access before the employee is terminated. The company should find (or fabricate) a plausible reason to temporarily deny the employee access to the computer network just prior to the termination to minimize the potential for harm and to allow more time for any booby traps or back doors already embedded in the network to be discovered and disabled.

During this analysis, the company should determine what opportunities are present for the employee to harm the business, such as by disclosing private information about employees, financial records, marketing strategies, R&D programs, litigation strategies, intellectual property, or pricing strategies. Efforts can be made to determine whether that employee has been accessing, copying, e-mailing, or altering those types of electronic files prior to the termination.

Motive Analysis

Once the employee’s access is determined, the next step is to consider whether the employee may have had any motive to harm the business before he or she was terminated. At a minimum, the employee’s personnel file should be reviewed to uncover any prior conflicts with coworkers or executives. Managers should also determine whether the employee has a criminal record, a history of domestic violence, or has made any threats.

Managers can look for other indicators that might signal that the employee plans to harm the company. For instance, has the employee indicated that he or she is seeking other employment or plans to go to work for a competitor? If the employee has signed a confidentiality agreement or a noncompete agreement, copies should be on hand so that the employee can be reminded of these legal obligations at the exit interview or termination meeting.

Mitigation

Now that the specific exposures have been identified, the company can take steps to mitigate them. During this part of the process, managers decide how to cut off the employee’s access to resources and determine whether it will be necessary to take down the network.

At this stage, the company determines whether additional security is needed on site, how to ensure the confidentiality of the information on corporate networks, and whether corporate communications are secure. For example, if the employee is responsible for backing up the network data, managers should find the backup data tapes and make sure the company has control of a complete set before the termination.

The company should retrieve any company property in the employee’s possession or in his or her office, such as laptop computers and PDAs, at the time of the termination, if not before. For example, as soon as Jack arrived at his office on the day that he was to be terminated, executives called him into a meeting before he could even take his laptop out of its case. After notifying him that he was terminated, the company took all company property from him, including his keys, access card, company ID, PDA, and cell phone.

There should also be a plan for recovering company property from the employee’s home. In Jack’s case, all of the company property was found in his office or was turned over by him after he was terminated. In other cases, however, corporate security personnel may need to go with the terminated employee to his or her residence immediately after the termination to recover corporate property.

As a way of encouraging the employee to cooperate, the human resources contact can arrange to have someone deliver the employee’s personal property and final paycheck to his or her residence; while there, the staff person can ask to retrieve the company property.

Ultimately, however, if an employee refuses to return key property, including hard drives or intellectual property, the company has limited leverage; management cannot withhold the cost of company property from an employee’s paycheck unless they have a signed agreement from the employee. It may be necessary to pursue legal action.

This is also the point at which companies should negotiate with third-party vendors. It may be difficult to terminate an employee’s access to systems operated by third parties without the cooperation of those vendors.

To get vendor buy-in, it may be necessary for senior management to obtain a resolution from the company’s board of directors. In Jack’s case, the president of the company wrote a letter informing the vendor that Jack was no longer authorized to represent the company.

Termination

With mitigation plans in place, the next step is for managers to develop a coordinated plan for the termination itself. The plan should identify each step and the people who will be involved in conducting the termination. The location and timing of the termination, how the employee is terminated and by whom, and the employee’s departure from the facility are critical issues.

Consideration should be given to hiring outside security for certain tasks related to the termination. For example, the homes and family members of key executives or employees may need to be protected if the individual is prone to violence.

Other general considerations include who should be assigned to clean out the subject’s office and who will be the subject’s point of contact after the termination. These decisions should be made in advance and should be clearly communicated to everyone involved.

This is also the time to consider IT-specific issues. Managers should assign an employee to collect keys, access cards, and company IDs. Steps should be taken to change administrative passwords and limit the employee’s remote access to the network.

The company must carefully consider where the termination will occur. It should be conducted with privacy and safety in mind and should never take place in the employee’s office.

Managers should consider a room far enough away from the employee’s work area that coworkers will not witness comings and goings. An off-site termination is a good idea if the employee has a history of violence. Other circumstances where an off-site termination is recommended might be when the termination could affect business operations or if the terminated employee is likely to be disruptive, loud, or offensive to other employees.

During the termination, security should be nearby but not in the room, unless the employee has shown signs of extreme aggression. Two managers should be in the room when the termination takes place. One of these managers should do most of the talking, while the other remains quiet and takes detailed notes. These notes should include any hostile or threatening comments.

Managers must not let the termination process drag on. To ensure that it goes smoothly and quickly, everyone who will be involved should know the plan and the timing of their role in advance. Timing is critical because revoking certain privileges, such as e-mail, too soon could tip off the employee to the impending termination. As soon as the employee is called in to be terminated, the plan should be implemented in the order discussed.

Once the employee is terminated, he or she should not be allowed to return to the work area. This policy prevents any potential last-minute sabotage or any outbursts, which could be disruptive to the remaining work force.

Making sure that the employee has his or her personal items is also important. Managers can take one of two approaches. In the first option, someone is instructed to gather the terminated employee’s critical personal items—keys, a coat, or purse—and the employee is told that the rest of the items will be boxed up and made available the following day. Alternatively, the terminated employee can wait in the room where the termination took place while someone packs up and delivers the items.

The final step in the process is to have the employee sign a termination letter stating that he or she is no longer authorized to come to the facility, access any part of the computer network, or contact any third-party vendors on behalf of the company.

Aftermath

It’s advisable to segregate any computer or device used by the former employee. An exact copy of the individual’s data on any of these devices should be made and retained as it may become necessary to refer to it as evidence of wrongdoing or to defend the company against charges if litigation is initiated in the future. Once copies are made, managers can have the data erased and return the devices to normal use.

Managers should conduct a post-termination assessment, which should include the identification of any improper or inadequate IT security controls. Any deficiencies should be addressed. A full audit of internal IT controls and processes is also advisable.

Firing any employee has its risks, but the termination of key IT personnel requires special attention. By following these careful termination steps, companies can minimize the potential for harm.

John J. Sancenito is president of INA, an investigative and security consulting firm that specializes in workplace violence, computer forensics, business intelligence, and disaster preparedness.