Back to blog
An image of a laptop surrounded by security and employee icons

The Security Considerations of Joiners, Movers, and Leavers

4 minute read

With the dynamic give-and-take of the JML process introducing a complex web of potential risks and new vulnerabilities to your organisation, it’s not surprising that your IT department has security on their minds.

According to Verizon’s 2022 Data Breach Investigations Report, 82% of reported breaches involved a human element. But when it comes to the potential risk posed by people, it’s not limited by the likes of phishing or careless password use. Whether they’ve just joined, are transitioning roles, or are departing the business, improper management of the joiner/mover/leaver process (JML) can make unwitting security risks out of employees.

Ensuring a Strong Start for Joiners

Although every stage deserves the same attention to detail, the different components of the JML process each require their own considerations, matching risk minimisation with the ever-moving employee lifecycle.

For joiners, it’s essential that their induction includes training that brings them up to date with cyber security best practices, emphasising the importance of strong password management and safe data handling.

In particular, remote and hybrid workers require additional steps to ensure risks unique to their situation are minimised. In particular, concerns around remote and hybrid workers can include leaving devices unattended in public places, or their connecting to unsecured Wi-Fi networks while out and about.

Introducing new joiners to the team can also mean unknowingly introducing shadow IT to the organisation. This is because employees might carry over preferred applications, solutions, and ways of working from their previous organisation. As IT teams will know, shadow IT falls outside of their security purview, opening up a whole host of potential risks. Setting clear expectations and identifying shadow IT at play will be key to ensuring a smooth transition to their new working environment.

Securing Movers Throughout Their Career

As for movers – employees changing role within the business – the main area of concern is permissions. If left unchecked, each role change could contribute additional access rights to what they’ve already amassed. As a result, movers can end up with sprawling access, exposing data to unauthorised individuals. Ensuring doors are closed firmly behind movers as they traverse to new business areas is, therefore, crucial.

As we touch on later, the seamless collaboration of the HR and IT team will allow for prompt updated access, working against potential delays on accessing what the employee needs as they move role.

Closing the Door Behind Leavers

Despite all stages being important, arguably the most risk-heavy part of the JML process lies with leavers.

Although we never want to think of our employees as being capable of malicious actions, failing to revoke a leaver’s access can leave the door open to the misuse and leaking of sensitive company data. Lingering accounts also pose a risk in terms of password usage; if a leaver’s account is left active, and it happens to use a duplicated or unsecured password, third parties could potentially find easy access to the organisation.

Meanwhile, not completing the leaver process efficiently can lead to licences being assigned and used up by non-existent personnel, ultimately costing the business unnecessarily. That’s spend that could be reinvested in a number of valuable ways.

Securing the Entire JML Journey

We know there are vulnerabilities and things to consider at each stage of the JML process – but what can we do about them?


Automate the Process

By using automated identity management systems, businesses can ensure efficient resource access for new employees, accurate and protected adjustment of access control during role changes for movers, and timely revocation of access for departing leavers.

In particular, automated JML workflows will help with the consistent application of necessary security policies and will, ultimately, minimise risk whilst they move through the company. Automation also allows for quick and efficient responses to security threats, such as disabling accounts of leavers and detecting unauthorised access.

By reducing the window of vulnerability through automated processes, businesses can effectively manage the entire JML lifecycle whilst upholding strong and secure processes.


Staying Compliant

Adhering to top-notch compliance standards plays a pivotal role in strengthening any businesses’ JML process, with a particular focus on effective access management.

By keeping up with the regularly updated industry regulations and internal policies, businesses ensure that access rights are carefully granted, modified, and revoked throughout the employee lifecycle.

Access management within a compliance framework enforces the principle of least privilege, ensuring that employees only have the permission necessary for their specific roles within the business. This not only safeguards sensitive data from unauthorised exposure, but also demonstrates commitment to maintaining data security.

Fostering IT/HR Collaboration

With the JML process being a shared responsibility of the IT and HR team, it’s essential that they work together effectively to ensure seamless transitions along the JML process. Communication is essential, with HR needing to inform the IT team as soon as there is a change in the employee structure. IT can then implement access controls, authentication methods and protocols based on HR’s input regarding personnel updates. Throw automation into the mix, and this synergy helps prevent unauthorised access, data breaches, and the mishandling of sensitive company information.

Increased Training

Ensuring well-thought-out training approaches fosters a security-focussed culture, enhances employee accountability, and contributes to an active approach to security across the whole JML process.

By providing extensive training to new and existing employees, the business can ensure that knowledge is up-to-date, and that employees have the skills needed to identify potential risks and their mitigation.  The training should be comprehensive from day one, with frequent updates to ensure employees are aware of their responsibilities, the access they’re entitled to, and how they can contribute towards mitigating risks.

Meanwhile, training for role changes is an opportunity to update an employee on their updated responsibilities and any new security protocols they should be aware of. Similarly, exit training can educate departing and existing staff on their ongoing responsibility to protect company assets even after departure.

Securing the Journey

As people are at the centre of your business, managing their personal access and the risk they might pose at each stage of their journey through the business is crucial. By implementing a comprehensive, well-thought-out strategy that encompasses water-tight processes, continuous training, and automation, businesses can maintain defences and uphold the integrity of their data – without spending hours spent breathing down employees’ backs.

The strongest JML process begins with visibility. Get started securing your employees’ access with Surveil’s deep Microsoft analytics. Get in touch with our team or contact your Microsoft Partner to find out more.

Related articles