Off-Boarding Users

Friendly departure
Getting fired

Introduction

On-boarding new employees into your IT system is (or should be) easy and routine for all types of companies. Your IT department or individual manager follows the checklist, and your employee logs in and gets to work.

Departures are more difficult, especially for small businesses. Apart from disabling access to your systems, you must decide what to do with the former employee's e-mail address and all of his or her data.

This has become more complex than in the past, as so many small businesses don't have servers under their own control anymore, and instead subscribe to pay-as-you-go online service providers, where so much company data is tied to individual user licenses.

Read on to learn more about what you as a business manager should consider in managing employee off-boarding.

Executive Summary

  • Important company data—such as e-mail threads, document files, and contacts—are likely distributed throughout or tied your employees' e-mail accounts, not easily accessible from a central location.
  • Failure to off-board your employees properly can cause problems such as loss of this information, a departed employee retaining access to company resources, your company paying unnecessary monthly fees to store data that should be archived or deleted, and/or unexpected error messages sending and receiving e-mail.
  • Off-boarding starts before the decision to terminate, with proper management of your IT system by a knowledgeable IT service provider. Your IT service provider should be the one that performs off-boarding from your company IT systems when employees are terminated.
  • Off-boarding plans should include a data retention policy, established and maintained by your company's management, but best developed and implemented with help from your IT service provider.

Off-Boarding In Depth

Initial Considerations

The first item of concern when off-boarding an employee is pulling up a list of all accounts he or she might have in your systems and shutting off access. Specifically, we're going to discuss e-mail accounts in this article. E-mail is the major account everyone will have, and most every e-mail account will impact your operations when shut down.

Definitions

You're no doubt familiar with e-mail and the below definitions, but we'll present them here for clarity.

E-mail address

An identifier in the form of user@domain-name that specifies the sender or receiver of an e-mail message.

Mailbox

A database containing the messages and attachments sent and received by an employee (user). It's what the user accesses when opening an e-mail application (such as Outlook), or when logging in to your e-mail system via a web browser. Folders a user might create to organize saved messages are all contained within the mailbox. Mailbox data is usually stored on your e-mail system servers, with recent messages also stored on the computers or mobile devices the user has logged in from. A mailbox usually also stores the user's contacts and calendar.

E-mail account

The combination of an e-mail address and mailbox assigned to a user, or for a special purpose.

A mailbox can have multiple e-mail addresses assigned. Additional addresses on a mailbox are called aliases. For a mailbox with more than one address, messages sent to any of those addresses will be delivered to that mailbox.

Also, your company likely has e-mail addresses that are not tied to a mailbox. These include distribution lists. An e-mail sent to a distribution list address will appear in the inbox of all members of the distribution list.

E-Mail Accounts and Files

Here are some major considerations about e-mail accounts. In a small business with a handful of users, and even up to several dozen, most employees' e-mail box represents a database and an actions log tied closely with the company's operations. Details of business deals and contracts are found only within e-mail threads; the user has important contacts; recurring meetings might be shared from that user's calendar (typically integrated into the user's mailbox in modern systems). And in all e-mail systems, there is no easy way for the data in your users' mailbox to be shared with the company, compared to how simply documents in shared file systems can be accessed by multiple people. Users sharing their primary mailboxes with each other is possible, but would be quite unconventional and difficult to manage.

Employee using files on her computer

Speaking of documents, most small businesses use one or more of the shared file systems just mentioned. While sharing files is relatively easy in the system you likely use, each file is likely tied in some way to a user's e-mail account. Deactivating e-mail while off-boarding a user may block access by others to dozens or thousands of documents, spreadsheets, and presentation files, or remove the files themselves.

Given this, except for employees who do auxiliary or menial jobs and use e-mail only for meeting reminders or casual conversations, it's not often you'll be able to just delete an e-mail account when someone leaves, and be done with it. And when you do need to keep addresses or mailboxes, not handling off-boarding correctly at both the administrative and technical levels can lead to the departed user retaining unauthorized access, data becoming inaccessible or even inadvertently and permanently deleted, and/or missed communications.

E-mail Address and Mailbox Disposition

When off-boarding a user, you need to decide the following in relation to his or her e-mail account:

  1. Whether you want inbound messages that people send to your former employee to:
    1. Bounce with a system message (such as "user does not exist");
    2. Get forwarded to another employee; and/or
    3. Auto-reply with a message advising that the employee isn't there anymore, with additional contact information for the sender to get back in touch.
  2. What to do with any e-mail aliases assigned to this user. For example, if messages to contact@your-company.com went to the departed employee's inbox, it should be reassigned to someone else.

For forwarding inbound messages (referenced in 1.b. above), there are multiple ways to do this. What you choose will depend on the volume and type of e-mails you expect to receive, and the job role of who you want to forward them to. To describe the two common options, we'll call the departed employee George, while the one to receive inbound messages is Henry. You may choose either to:

  1. Set up basic forwarding, where messages to George will appear in Henry's regular inbox, mixed with e-mails addressed to Henry. With this, Henry can reply to new messages intended for George. But Henry cannot see anything else in George's mailbox, such as messages or attachments George received or sent before termination, George's contacts and calendar. George's mailbox may be retained in the system, even though no one logs into it or sees it, until such time as the messages and other information in the mailbox can be archived or deleted depending on your security policy or operations requirements.
  2. Delegate George's mailbox to Henry. This is chosen where Henry needs to follow up on past conversations or other issues where the information needed is in e-mails to and from George. When this is set up, Henry can see George's entire inbox, sent items, other folders, contacts, and calendar. Depending on the system capabilities and how you choose to configure it, Henry could also send an e-mail that appears to come from George.

Here is a graphical example of each:

E-mail forwarding example

E-mail delegation example

In more complex set ups, you might have to consider additional issues, such as:

  1. Whether that employee logged on to other mailboxes with a separate password. If so, decide what to do with the mailbox (shut it down, assign another employee to log into it, etc.).
  2. If other former employees' e-mail accounts were forwarded or delegated to the employee you're about to off-board, you'll want to decide whether to forward those to someone else or shut them down.

Additionally, make sure disused e-mail addresses are removed from any distribution lists. If not, people sending messages to the list address might get confusing system messages stating there was an error.

Removing Access

Obviously your first desired task is to immediately block the departing user from his or her e-mail account and files. You need to force the user to disconnect (sign out), prevent him from logging back in, and, if called for by your company's security policy, remove mailbox data saved on the user's device (remotely if necessary).

But, there are many ways to do this in the administrator's console for your e-mail system, and how it should be done depends on what you want to do with the user's e-mail address and mailbox—that is, what you've decided on the above.

Your IT systems manager can block access without specific instructions on the above considerations, but the sooner you make your decision the better.

Whether or not you've given directions for disposition of the address and mailbox, how the account should be handled while blocking access to the departed user, and whether it can even be done to your specification, differs greatly between service providers. Some service providers are more flexible than others, but in most cases whatever you request can be done. If not, your IT provider can assist in developing the best solution for your operational requirements.

This is why you shouldn't task your non-IT personnel to perform off-boarding in your IT systems. Doing it wrong could cause lost e-mails or files, cause mis-deliveries of messages or other errors, and/or enable the departed employee to continue to access your company's mailboxes. Even if your e-mail is hosted in a modern system seemingly geared towards self-service, such as Microsoft 365 or Google Workspace, it's a mistake to think these systems are self-explanatory or easy to manage.

IT system administrators

Off-boarding is best handled by your IT service provider or a trained, dedicated IT manager. The process starts even before the decision to terminate the employee in question. Your IT provider will have continously tracked who should have access to which mailboxes, and will also know other considerations a non-IT employee might not, such as the various options and pitfalls in configuring accounts in your e-mail provider's system, what backup and archiving solutions are available, or configuration changes that may have implemented on behalf of another department.

Long Term Planning

Many business managers are inclined to keep e-mail addresses and mailbox data indefinitely or forever, to ensure messages from important clients or business partners are not missed.

Keeping accounts for departed users has drawbacks. First, on some systems, you may need to continue paying for each license. So as employees turn over, your cost for e-mail will keep going up. Some systems can be tweaked to keep mailboxes accessible as if they're still active but without paying, but you may be violating the terms of service for the system by doing this, which puts you at risk for adverse action you'd probably rather not deal with.

Second, maintaining accounts for non-present users introduces administrative complexity that can lead to confusion among your users, such as if departed employees' names appear in an address list or as an owner of a file. Your IT service provider can and should prevent this, but it's not always possible in some situations.

Keeping accounts for departed users also reduces protection of your system from infiltration by malicious actors (inside or outside your organization) or from exposure of your company information, for technical reasons we won't get into detail here.

So, ideally you should develop and publish a data retention policy.

Your Retention Policy

Your data retention policy for e-mail and user files should include:

  1. What to do with a departed user's e-mail address (forward, bounce, etc.) upon departure.
  2. What to do with mailbox data (delete, delegate, migrate, archive, etc.) upon departure.
  3. What do do with the user's files (delete, transfer to another user, archive, etc.).
  4. In cases where the address or data is to be kept active, when and how to take it offline. The "when" may be a certain time period or a certain event (such as the end of a project). The "how" specifies whether to delete or put into offline archiving.

You can classify users by type (sales, administrative, product, etc.), and specify different forwarding, backup, and retention policies for them.

Anyone involved in handling e-mails or accessing mailboxes of departed users should know these policies. They should know how long they have to perform tasks before the mailbox will be removed. These tasks include:

  1. Proactively contacting important customers or partners to advise them of the employee's departure;
  2. Searching the mailbox for e-mail threads or attachments to extract them, such as by forwarding the thread to someone else to continue, or saving the attachments to your company's file system.

Employee wants to keep departed users' mailbox

Work with your IT services provider to develop your data retention policy. If it's best to specify "case-by-case", then that's fine, so long as a business manager is responsive to your IT provider's request for guidance prior to each off-boarding.

Another recommendation is not to make exceptions. When it's time to delete or archive the mailbox, very often the person responsible will have procrastinated, or she will say she doesn't want to give up the mailbox data for fear she might still need to search for something that hasn't come to mind yet. Of course, it's up to you whether the employee has made a business case for an exception to the policy, but do consider the fact that if you make exceptions to your retention policy for situations that don't truly require it, then you effectively have no retention policy.

Archiving

When it's time to delete an e-mail account, you may either permanently delete the mailbox and all its data, or archive it. Archiving a mailbox means it's no longer accessible by any users through their e-mail apps, but the mailbox data (e-mail threads, attachments, contacts) is stored in a location where it can be retrieved if necessary by your system administrator in the future.

The typical trade-off in archiving cost is that the less you pay, the more work and/or time it would take to retrieve the mailbox and search for e-mails in case something comes up later. There are online archiving solutions that keep mailboxes in separate cloud storage accessible by your IT system administrators for a small monthly fee payable to the storage provider (much lower than you would pay to retain the data on the e-mail system itself), and which enable prompt searching and retrieval.

On the other end of the scale would be mailbox data stored on a physical hard drive in your office or in a safe. Just one hard drive can hold thousands of large mailboxes forever at no cost. With that, though, it could take hours or days for your IT provider to recover even one e-mail.