Blog | G5 Cyber Security

2FA After Leaving a Job: Securing Mixed Accounts

G5 Cyber Security

TL;DR

Leaving a company with personal use of work accounts is tricky. Enable 2-Factor Authentication (2FA) on *everything* possible, especially email and cloud storage. If you can’t access the admin to add 2FA yourself, contact IT support. Consider creating new, separate personal accounts immediately.

Securing Mixed Personal & Business Accounts After Leaving a Company

  1. Understand the Risks: Using work accounts for personal stuff creates problems when you leave.
    The company can revoke access, potentially locking you out of important data (photos, documents, etc.). They may also have legal rights to review account contents.
  2. Email Account – Priority #1: This is usually where the biggest risk lies.
    • Enable 2FA Immediately: If possible, add 2FA yourself through your email provider’s settings (Google, Microsoft, etc.). Use an authenticator app (like Google Authenticator, Authy) instead of SMS-based codes – they’re more secure.
    • If You Can’t Add 2FA: Contact the company’s IT support *before* you leave and ask them to enable it for your account. Explain the situation clearly. Get confirmation in writing (email is fine).
    • Forwarding Rules: Set up email forwarding to a personal account *after* confirming 2FA is active. This ensures you don’t miss important emails, but be aware this may violate company policy.
  3. Cloud Storage (Drive, OneDrive, Dropbox): Similar to email.
    • Enable 2FA: Add 2FA through the cloud storage provider’s settings.
    • Download Your Data: Before leaving, download *all* personal files from the cloud storage account to a safe location (external hard drive, personal cloud storage). Don’t rely on forwarding or syncing after access is revoked.
  4. Other Work Accounts (Social Media, Project Management Tools):
    • Check Account Ownership: Determine if these accounts were created with your personal email address or a company email address.
    • Enable 2FA Where Possible: Add 2FA to any account using your personal email.
    • Create New Accounts: If the accounts use a company email, create new ones with your personal email *before* losing access. Inform relevant contacts of the change.
  5. Password Manager Review:
    • Identify Work Credentials: Check your password manager for any saved logins using work email addresses or associated with the company domain.
    • Remove/Update: Remove these credentials from your password manager, or update them if they are linked to personal accounts you still control.
  6. Social Media Accounts (LinkedIn, Facebook, Twitter):
    • Check Login Email: Verify the email address associated with each social media account.
    • Update Email Address: If using a company email, change it to your personal email *before* you leave.
  7. Contact IT Support (Again): Before your last day, send a final email to IT support summarizing the 2FA status of all critical accounts and requesting confirmation that access revocation won’t lock you out of personal data. Keep a copy of this email.
Exit mobile version