With the new year approaching you may see employees leaving to new pastures, and when someone leaves your firm, the biggest risk isn’t what they carry out of the office in their bag — it’s what they might still have access to digitally. For financial advisers handling sensitive client data, a single forgotten login, shared password, or copied file can open the door to a serious data breach and regulatory consequences.
Good offboarding starts long before an employee’s last day. Building strong access controls, clear ownership policies, and good data habits across your business helps prevent problems before they happen.
Before employees leave a business
When employees resign, their access to data and systems should end too. Having a well-documented leaver process will reduce this risk.
Here’s what you should do when an employee leaves:
Revoke access immediately
- Disable accounts, including your CRM, email, cloud storage, and any financial platforms.
- N.B. Maintaining a list of all systems in your business with user permissions, reviewed by department owners regularly, will greatly aid the offboarding process.
- Notify any other teams that may need to remove access to systems they own.
- Reassign email addresses or set forwarding rules for a limited time.
Retrieve and secure company assets
- Collect laptops, phones, USBs, access cards etc.
- N.B. Maintaining an asset inventory with clear ownership will enable you to quickly identify what assets need returning.
- For remote staff, arrange courier returns or perform remote wipes.
- Check for synced folders with business data on personal cloud accounts.
Change shared credentials and access codes
- Update any shared logins, passwords, alarm codes, or PINs.
- N.B. Using a password manager to share credentials means you have a quick and easy way to communicate updated passwords securely once someone leaves the business.
- Set up alerts to flag suspicious actions like bulk downloads or external sharing.
Building good security habits
The policies and technical controls you apply while staff are still employed help prevent data loss and misuse.
- Clear Information Security Policies remove ambiguity about staff roles and responsibilities.
- Initial Security awareness training should take place to ensure understanding of your security controls and should continue annually.
- Only grant staff access to the data and systems they truly need and remember to review this access when employees change roles.
- Regularly reviews system access so you can you spot abnormalities.
- Enabling Data Loss Prevention (DLP) tools on email and cloud storage will help block sensitive data leaving the firm.
- Restrict or block the use of USBs and external hard drives to prevent data being copied.
- Block file-sharing or storage sites your firm doesn’t use (sites like Google Drive or Dropbox) to preventing staff copying data to them.
- Prevent confidential internal files or client records from being shared externally unless authorised by IT or compliance.
Information security policies
Clear policies remove ambiguity about who owns data and what staff can do with it.
- Information Ownership: Make it explicit that all company-created information — client data, templates, reports, and communications — belongs to the firm, even if created while working remotely or after hours.
- Device Usage: Clarify what data can and cannot be stored on company versus personal devices. Business data should never live on personal laptops or phones without approval.
- Data Classification: Implement a classification policy so staff understand how to handle information. Labels like Confidential – Internal Use Only or Client Information – Do Not Share Externally make handling expectations clear.
- Data Handling Policy: Provide simple reference guidance explaining how to store, share, or dispose of data securely.
Culture and awareness
Technology can only do so much, so awareness is key. Building a positive culture around security ensures every employee understands the value of client data, the risks of mishandling it and the part they play in keeping this data secure. With a little awareness, staff can recognise potential risks, follow best practice, and leave without taking your data with them.
Key takeaway
By combining a good security culture, a solid offboarding processes and technology that helps monitor your client’s data, your firm can ensure your business stays safe, even when people walk out the door. Don’t wait, be proactive and keep your business secure.
Take the CPD-accredited 'preventing employees from leaving with more than personal items' test here.
Test your understanding with these multiple-choice questions and receive a CPD certificate worth 30 minutes of CPD.
Never miss an update
The cyber landscape is constantly evolving, staying informed and proactive can help businesses mitigate risks.
Sign up to our fortnightly 'Adviser Insight' newsletter for expert insights - use the 'Sign up' button on the left-hand side to receive our updates.
This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.
Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.
