Assess the Risk of Browser Extensions Installed in Your Browser. Add to Chrome.×
Home » Spin.AI Blog » Cybersecurity » Google Workspace » How to Securely Plan a Google Workspace Employee Leaving
July 1, 2019 | Updated on: April 26, 2024 | Reading time 10 minutes

How to Securely Plan a Google Workspace Employee Leaving

Author:
Avatar photo

Vice President of Product

Let’s talk about the risks of an employee exit from corporate Google Workspace. 47% of former employees still had access to important company apps, such as Google Workspace, even after leaving the company. What is even more disturbing is that 56.2% of them admitted to logging into a corporate account after their employment contract ended.

The consequences of such data security violations can be (and usually are) disastrous: data leaks, breaches, and deletions. Sometimes, companies don’t realize this for a long time. This can lead to losing money or even facing lawsuits and a damaged reputation.

As a rule of thumb, a Google Workspace admin needs to be aware of employee leave threats to prevent them. They are responsible for transferring the data of a departing employee. This is to ensure that the new worker has the necessary information. It will help them start working efficiently and without wasting company time.

This article will guide Google Workspace Admins step-by-step to secure employee exit and provide them with some prompts on this way!

Step 1. Disable access to Google Workspace user account

If an employee leaves abruptly, the first thing to do is to disable their access to their Google Workspace account. Users then are prevented from sharing files or sending emails from a company Google Workspace (G Suite) domain. However, the data is retained for archiving purposes or can be transferred to another account at a later time.

To suspend a user in Google apps, use the Google Workspace admin secure workspace login. However, it’s best to log in as the user themselves to have complete access to their data in all Apps. It is particularly important if the employee has access to company apps. These could be Google Analytics, Adwords, or social media accounts such as Facebook and Twitter.

Here are the steps you should take:

1. Log in as admin.

2. Ensure the user can no longer access the account. To do it:

Go to Users in the Admin Console. Pick the employee from the list. On their page, click Reset Password in the left menu bar.

Next, go to the Security tab, scroll down to Sign-in cookies, and click on them. Then press Reset. It will log out the user on all devices and browsers.

Remove the former employee’s telephone and email from the Recovery information section in the security tab.

Remove the user’s security keys and disable 2-step verification for them.

3. Remove all passwords for specific applications and block access to the user’s Google Account for authorized services (if provided).

In the Security tab of the User’s page, scroll down to Applications-specific passwords. Here you’ll see the list of applications you can reset passwords for. Just press Reset near each one of them. Just below, you’ll see Authorized Access. Press Revoke.

4. Delete access to the account and company applications from all connected devices including mobile phones. To do this, return to the User details tab, scroll to the bottom of the page, and find the Managed devices section. There, you’ll see all the devices linked to this account. Click Wipe this device or Wipe this account.

Step 2. Backup employee’s data

There are two ways to backup important company’s data:

Your company data can’t be secure if you just save them occasionally. To keep your files safe, you should regularly and automatically back up all company data on reliable cloud storage. Moreover, you need to take care of this data to be easily restorable and protected from cybercriminals.

Spinbackup doesn’t only backup your critical Google Workspace (G Suite) data. It also protects your account from data leaks.

  • Manually with Google Takeout

Manual backup is not the best choice for companies because of a quite large amount of data to deal with. But in case you need to make just a one-time copy of your Google account data, use Google Takeout.

Related Link: How to Back up Google Drive: A Step-by-Step Guide

1. Log in to the former employee’s Google account and click on Download your data. There you will see all apps that contain your data. All options are selected by default. To choose specific files, deselect all and then tick the desired field.

2. To download some parts of your data just leave all the data selected and uncheck the box near the files you don’t want to save. Then press Next step.

3. Customize your archive by choosing the delivery method, type of export, type, and size of the file.

It can take some time, depending on the number of files.

Step 3. Transfer Google Workspace Data to Another Account

There are two ways to transfer data between Google Workspace accounts:

1. Simple, if you are using Spinbackup.

First, it’s easier because you don’t need to save data additionally before or after you transfer them – they are automatically backed up. Second, it just takes fewer steps.

By default, only the route Google Workspace (G Suite) administrator can migrate data between accounts. However, you can nominate an additional administrator and give him/her permission to migrate data. You can revoke this permission in the future if needed.

2. Tricky, if you are using Google Workspace (G Suite) migration service.

To move all data with Google Workspace, follow these steps for migrating Google Workspace data to another Google account.

After you successfully backed up and transferred all the important data, you can delete the original user account without fear of losing vital information.

Step 4. Forward Emails

When an employee departs, it is crucial to configure Google Workspace (G Suite) to forward their emails. This ensures that any significant unfinished messages can be addressed promptly.

Most likely, the leaving employee had some important unfinished correspondences, or their email is the only way for some customers/companies to reach your company. In this case, you may need to forward suspended emails. All you have to do is:

  • Create the same email address (if you have already terminated an employee’s Gmail) and put someone responsible to go through it.
  • Set an auto-responder to inform the sender that the employee is no longer working at the company and offer a new point of contact.
  • Go to the new employee’s user page and provide the former employee’s email as an email alias in the User Information section.

P.S.: if you need to configure Google Workspace (G Suite) for email archiving, you may use Google Vault or back up your Gmail with Spinbackup.

Step 5. Collect Company Devices and Wipe Clean

Of course, before leaving the employee must return any laptops or mobile devices that they used for work. In most cases, these devices are recycled for new employees. To prevent inadvertently giving a new employee access to sensitive information, don’t forget to back up, transfer, and wipe clean all data on the devices.

Step 6. Add an account as an alias

If the former employee used their email as a login to some sites or services you may need in the future, this is the right move to make.

To add their email as a nickname, you need to:

  • Log in to your Google Workspace admin panel.
  • Press Users and choose a user.
  • Press Accounts, and then press Add a nickname under Alias.
  • Insert the email of the former employee.

Step 7. Review Risky Third-Party Apps Installed by the User

Another important measure to take is to control risky third-party apps that the employee has granted access to from their corporate Google account. Why? Because these apps could have been used to copy company files and may retain access to corporate data.

There is currently no easy way to monitor third-party apps in Google Workspace. But SpinSSPM suite allows you, the administrator, to see all apps installed by the users, all the permissions that have been granted, and the risk rate of these apps.

From the SpinSSPM admin console, you can easily block risky apps as a security measure after the employee leaves the company. Also, you can flag and block activity such as unauthorized downloading of files. This feature can provide enhanced surveillance of user actions if an employee has given the notice to leave but still has to work at the company.

Step 8. Conduct an Exit Interview

Conducting an exit interview is a common part of HR procedure when an employee leaves a company, but data security is not always included in this conversation.

A thorough exit interview should include questioning the employee on their data practices while they were at work, such as if they downloaded corporate files to personal cloud storage. The previously mentioned survey found that 68% of ex-employees had downloaded work files to their personal cloud storage.

It’s also essential to remind the ex-employee that company information is confidential and should not be shared with anyone outside the organization.

The exit interview is also the last chance to ask the user for their login credentials for cloud apps. This is necessary to gain access to data stored within the apps – even a Google Workspace super admin does not have full access to all data and apps within another user account.

Finally, it’s important to ensure that employee contact information is up to date. This ensures that he or she can be contacted in the event that access is needed to any forgotten corporate accounts in the future.

Your next steps as an administrator after reading this article:

1. If you don’t have a rule that HR notifies you every time an employee is about to leave, set up this rule. From now on, when someone is about to leave their job, you should be notified immediately. No one should underestimate this moment since all company data security depends on it.

2. Ask your HR or responsible manager about how much time the employee needs to finish the tasks that require access to their Google Workspace account. Before you cut access to Google Workspace for the employee, you better use Spinbackup tools to track all data movements within the company to prevent any leaks of sensitive or important company data.

3. If an exit interview is still not mandatory in your company, you should speak with your Human Resources Department about setting up this rule.

Was this helpful?

Thanks for your feedback!
Avatar photo

Written by

Vice President of Product at Spin.AI

Davit Asatryan is the Vice President of Product at Spin.AI

He is responsible for executing product strategy by overseeing the entire product lifecycle, with a focus on developing cutting-edge solutions to address the evolving landscape of cybersecurity threats.

He has been with the company for over 5 years and specializes in SaaS Security, helping organizations battle Shadow IT, ransomware, and data leak issues.

Prior to joining Spin.AI, Davit gained experience by working in fintech startups and also received his Bachelor’s degree from UC Berkeley. In his spare time, Davit enjoys traveling, playing soccer and tennis with his friends, and watching sports of any kind.


Featured Work:
Webinar:

How Can You Maximize SaaS Security Benefits?

Let's get started with a live demo

Latest blog posts

Best CRXCavator Alternative for Browser Extension Risk Assessment

Of the 300,000 browser extensions used in enterprise environments, more than half (51%) could execute...

Avatar photo

Product Manager

Read more

The Ultimate Guide to SharePoint Cloud Backup: Securing Your Data

For businesses using Microsoft 365, SharePoint has become central to document management, team collaboration, and...

Avatar photo

CEO and Founder

Read more

How to Ensure that Your Google Chrome Extensions are Safe

Google Chrome is the world’s most popular internet browser, enjoying a global market share of...

Courtney Ostermann - Chief Marketing Officer Spin.AI

Chief Marketing Officer

Read more