Malicious actions taken by disgruntled former employees have the potential to cripple any business, no matter how large or small. It happened to Amazon, to Apple, to the infidelity matchmaking website AshleyMadison, and to the automotive innovators at Tesla. And it has occurred at many small and mid-sized organizationsas well. Former employees have stolen intellectual property and trade secrets—including proprietary software and technical information—and have taken passwords, administrative privileges, and intimate knowledge of their former employers’ IT environments with them when they left their jobs.
Of course, not all harm that employees do to information security is accomplished in bad faith. In the 2019 Verizon Data Breach Investigations Report, for instance, “privilege abuse”—including the abuse of credentials accidentally disclosed to criminals by victims of social engineering attacks—and “data mishandling” were among the most common causes of breaches, and together were responsible for more than half of the incidents included in the survey. Employee errors, accidents, and misconfigurations remain among the leading causes of data breaches year after yearand have held this position since indexing began.
Developing the proper onboarding and offboarding procedures can have a major impact on your organization’s cybersecurity risk profile. Both malicious acts and innocent mistakes will be far less likely to result in a data breach if you have the right policies and workflows in place.
Read on to learn about best practice guidelines to help your incoming employees keep cybersecurity front-of-mind, and to prevent employee departures from increasing your vulnerability.
How to Get Employees on Board with Cybersecurity Compliance
New hires are often your most eager, attentive, and motivated employees. If you can successfully turn this beginner’s enthusiasm into good habits, you’ll have taken an enormous step towards creating a strong and resilient cybersecurity culture within your organization.
Implement a well-designed Security Awareness Training programand make participation mandatory, not optional. Look for a program that provides information in various types of media and in differing formats to engage employees with diverse learning styles. Research indicates that including gamesand quizzes can boost employees’ ability to remember information from the training, and incorporating testing and assessmentcan help you evaluate the training’s effectiveness, and show you which individual employees are likely to pose the greatest risks.
You should create formal written policies covering several aspects of your organization’s information and technology assets. An acceptable use policy (AUP)outlines how company-owned hardware, software, websites, network resources, and other systems can be used. Having all employees sign an appropriately-worded AUP may limit your organization’s liability in case of an insider-perpetrated attack. But having employees read, think about, and discuss this document can also help them understand the very real dangers that cyber threats pose, and appreciate how following best practices can protect their well-being and livelihood. Although having such policies is mandatory for some types of regulatory compliance—including HIPAA—keeping these conversations relatable, and using simple, real-world examples that non-specialist audiences can understand is important to achieving buy-in on a large scale.
It’s also a good idea to implement a least-privilege access policy. This means defining each new employee’s information access requirements carefully and precisely, and ensuring that no one is given permission to use or administer any applications or services that aren’t required by their role. Privilege audits should be conducted regularly to ensure that users don’t have ongoing permissions that are no longer needed.
How Can the Onboarding Process Be Improved?
Many employees lack a deep and thorough understanding of cybersecurity’s importance. If you can successfully make information security into something your employees perceive as important and valuable, you’ll have accomplished a great deal, and will be well on the way to transforming your employees from a source of risk to your business’s greatest defensive asset.
It’s equally important to engage employees in technical and non-technical roles, especially as digital transformation makes technology an increasingly important part of everyone’s workplace.
Cybersecurity Rules Every New Hire Should Know
From their very first day on the job, every new hire has the potential to make a positive impact on your organization’s cybersecurity posture. But to do so, they must, of course, understand how. And this isn’t always easy, given the complexity of today’s threat landscape and the fact that some workers may find discussions of IT security tedious or frightening. To help your employees be more engaged and responsive, we recommend keeping the rules simple and straightforward, and rewarding good behavior—like reporting phishing attempts—rather than punishing mistakes.
Broadly speaking, your organization’s cybersecurity rules should cover each of the following four categories:
Passwords and Access:Teach your employees the importance of setting strong passwords and changing them regularly. Encourage the use of single sign-onfor both company-owned and personal accounts, and consider using a password manager to help reduce the number of credentials that they’ll have to remember. Also teach employees about the advantages that implementing multi-factor authentication brings and ensure that it has been set up for as many business logins as possible.
Device Security: When employees get busy, it can be easy for them to forget to perform regular software updateson their laptops or mobile phones. But if these devices are being used to access company software or data, it’s critical that the latest software patches be installed on them. Besides implementing a clear BYOD policy that outlines which software must be in place on employee devices accessing the corporate network, and what other rules must be followed, be sure that you emphasize the importance of keeping all patches up-to-date.
Physical Security: Although it’s simple, maintaining a clean desk policy can make a big difference when it comes to your office’s security. Train your employees to file or shred all sensitive paperwork, remind them that devices left on desktops can be stolen more easily than those stored securely, and forbid employees from writing their passwords on sticky notes.
Behavioral Security.A strong and well-integrated Security Awareness Training Programshould cover the basics, but your employees can’t be too careful when it comes to email and social media security awareness. Teach employees to recognize common signs of phishing attacks, including misspellings and email display name spoofing. It’s also important to develop policies for how much company information can be revealed on social media, criminals commonly search social networks for information to use in social engineering attacks.
How to Manage Employee Offboarding the Right Way
Not every employee’s exit is an occasion for celebration, but it’s critical to develop a set of robust policies and procedures to manage the process so as to protect your organization from harm or possible legal consequences. Research indicates that only a minority of organizations have a formal offboarding procedure in place. If yours doesn’t, you should develop a set of consistent and repeatable steps to take to ensure that every employee’s departure is as smooth and safe as possible.
Employee Offboarding Checklist
In many organizations, offboarding is seen as the sole responsibility of HR, and IT’s involvement in the process is minimal at best. But in today’s complex information technology ecosystems, the more cross-departmental collaboration, the better. Organizations should develop a comprehensive checklist, flow chart, or roadmap to be followed at the conclusion of every employee’s time with the company, and both HR and IT should contribute to it.
Your offboarding procedures should include the following six general steps:
Step 1: Initiation and notification.HR informs IT of the date and terms of separation.
Step 2: Compile a list.Create a complete list of all the places that the employee stored data, including personal devices, company-owned devices, and cloud platforms. Also, document all company IT assets and services to which the employee had access, and specify which administrative privileges, if any, were granted.
Step 3: Check phone systems.You’ll want to change voicemail messages and passwords. You may also have to set up call forwarding so that another employee can handle new incoming calls on the former employee’s number.
Step 4: Check email systems.Ensure that all company email messages have been deleted from personal devices, change passwords, revoke access, and remove the employee from all internal email distribution lists.
Step 5: Check all network and cloud service access privileges.Revoke access to all cloud-hosted software applications, and ensure that the employee doesn’t have remote-access software installed on any of their personal devices. Move any files that other employees will need to shared storage locations.
Step 6: Recover hardware.Ensure that any company-owned devices that were issued to the employee have been returned.
Step 7: Conduct an exit interview.During this process, you can assess whether or not the employee seems likely to pose future risks to the company. You can also ask them to review and sign non-disclosure agreements or other data-integrity exit policy documents.
Top Threats Posed by Improper Offboarding
There are many examples of companies that have suffered devastating breaches because proper employee offboarding procedures weren’t followed. An angry ex-employee who retains access to company applications can destroy valuable data, steal intellectual property, or sell customer financial records to criminals, to name just a few examples.
Even if your company never becomes a target, you can fall out of regulatory compliance or be assessed fines if it’s determined that you failed to follow mandatory data protection procedures. In the best-case scenario, you’ll find yourself incurring unnecessary costs for software licenses that you’re no longer using.
Best Practices for Removing Employees from Email and Phone Accounts
To terminate a former employee’s access to their company email account, you should first change their password in your email system or in Active Directory. Then designate another employee to handle email inquiries addressed to the former employee, or set up an autoresponder on the account. Be sure to remove the terminated employee from all generic email distribution lists within the company. Back up and store the former employee’s email archive for a set period of time—usually 30 days—after which it can be permanently deleted.
Depending on the telephony solution you have in place, you may need to double-check call forwarding. Make sure that no business calls are being forwarded to the ex-employee’s mobile phone or another personal device. You should change their voicemail password and outgoing voicemail message. It may make sense to assign another employee to respond to their voice calls until the number is reassigned if it’s going to be.
Designing appropriate offboarding procedures to meet all legal and compliance requirements while ensuring that your business remains as safe as possible is no easy task. An experienced managed IT service provider can help. At Edge Networks, we have experience with both employee onboarding and offboarding best practices and can ensure that no critical security measures will be overlooked. What’s more, we can take over the responsibility for managing the entire process, freeing you to focus your time and attention on running and growing your business.