Employees: The First Line of Cyber Security Defense
When considering your company’s overall security posture, one often thinks only about firewalls and endpoint protection. However, a personnel security protocol is often overlooked, but a company must proactively institute critical security measures. Employees are often the first and the last line of defense in building a secure and stable business environment. A personnel security policy facilitates a consistent approach to handling end-to-end employee security throughout the entire lifecycle of an employee’s tenure with your company.
From an employee’s initial onboarding through their off-boarding and beyond, the development and implementation of a consistent personnel security policy will ensure your peace of mind, allow you to manage your employees consistently, and maintain your business security from start to finish.
Employee Security Policies – Where it Begins & Ends
A good personnel security policy details both your company’s process and the employee’s expectations.
Prior to hiring for a specific role in your organization, one must implement the first step in the process by clearly outlining the roles and responsibilities. The process continues during the pre-employment screening, during employee onboarding, and finally, concludes upon employee offboarding. There are some important policy areas to consider as you plan for or review current personnel security policies.
Roles and Responsibilities
A procurement management policy covers the rules of engagement for selecting and managing hardware and software vendors used by your company. They also protect the confidentiality of purchases, pricing models, authorized vendors, and authorized purchasers.
For companies that produce specialized products and services such as patented or other trade secrets, a procurement management policy would include a method for confidential procurement through an authorized third-party purchasing organization. Some companies also require documentation of a supplier diversity program as a means for supporting female and minority-owned businesses. Many state contracts or even your company’s culture may find this documentation desirable.
The pre-employment process is critical to your personnel security process. Before hiring any candidate who will be given access to sensitive company data, background screening should occur. At a minimum, the background screening should include a criminal records search, credit report, and previous employment verification. Often employers fail to apply this same diligence to contractors, temporary or seasonal workers, and outsourcing companies who will be allowed to access sensitive company data or functions; however, failure to do so is a breach in your company’s security.
Many people might ask why pre-employment screenings are so integral to a company’s security. Would you want to hire a System Administrator with a criminal record that included a conviction for data theft? Perhaps you are considering hiring a new Staff Accountant, and they have a conviction for embezzlement. Maybe you are hiring an Engineer to refine your prized invention, and the candidate was convicted of corporate espionage. Although these scenarios may sound unlikely or perhaps read like something from a movie script, these breaches in personnel security negatively impact companies of all sizes and every vertical focus on a daily basis. Pre-employment screening can save your business from a potentially damaging or even criminal incident involving your company or your data and should be in your personnel security policy.
Suppose you have decided to hire a resource and the candidate has passed the pre-employment screening process. You are confident in their qualifications and relieved they do not have a questionable background. Your new employee reports for their first day of work. What should happen next?
Employees should be asked to review and acknowledge the following prior to receiving access to any company systems:
1. Confidentiality Agreement – The confidentiality agreement is your protection and details what the employee can discuss or divulge outside of authorized company employees.
2. Information System Security Agreement – These policies pertain to the employee’s responsibility in safeguarding systems and data.
3. Intellectual and Property Rights Agreement – This agreement specifies who owns all of the hardware, software, data, and source code the employee has access to during the execution of their duties.
4. Security Awareness Training – Information Security training should be given; however, some companies assume the new employee is aware of potential security issues or concerns. Train your employees and obtain written acknowledgement of the training. Better yet, offer this training annually to ensure that policy updates are covered.
5. Equipment Receipt Acknowledgement – If the employee is issued a computer, phone, access badge, or other company-owned equipment, then an inventory of these items and their serial numbers should be taken and written acknowledgement obtained.
Once the new hire has completed this process, the supervising employee or manager should notify Human Resources and request the new employee’s credentials from the Information Systems Security team.
The access given to the new employee should adhere to the principle of least privilege. Least privilege refers to granting an employee the minimum amount of access to systems and data required to perform the duties of a given role. If the employee is an administrator, separate administrator credentials should be used to minimize the possibility of administrative compromise. All employees should be required to change their password upon initial use, and multi-factor authentication is recommended for added security.
For an employee transfer to a new role or department, access should be reviewed by the Information Systems Security team to ensure the new access adheres to the principle of least privilege.
Offboarding and Termination
Gone are the days when most employees earned a gold pocket watch after 50 years of employment. The reality of today is that sometimes the relationship between employer and employee may not work out. When an employee or contractor leaves, either through involuntary termination or by choice, a secure offboarding process should be followed to ensure that the integrity of the company equipment, systems, and data is maintained.
One of the biggest threats to company security is the inappropriate or illegal use of unused credentials. Unused credentials are often ignored or even forgotten when an employee leaves and is frequently discovered by hackers and used to elevate privileges to sabotage systems and steal data. These unused accounts are an excellent target for criminal activity because no one notices that the password has been changed.
Another threat that should not be ignored during offboarding is related to the involuntary termination of an employee. Disgruntled, recently terminated employees may steal or destroy data or systems before their credentials are revoked as an act of retaliation. In 2018 , a fired IT contractor with Chicago Public Schools stole over 70,000 employees’ personal information.
When offboarding or terminating employees, the company should ensure that exit interviews are conducted, if possible, and:
1. Immediately terminate access to company systems by notifying the Information Systems Security team. All of the employee’s account and login information should be disabled, and the password(s) changed.
2. Any previously issued company-owned equipment and data should be recovered and checked against the issued serial numbers.
3. Remind the offboarding individual about any agreements still in force.
4. Change administrator credentials if the individual had access to system administrator credentials.
Not only are small to medium-sized businesses affected by security breaches related to their personnel, many high-profile companies, such as Equifax in 2017 , have suffered embarrassing and expensive breaches because of a failure to adhere to internal policies and controls around Personnel Security.
Regardless of your business size, a Personnel Security Policy is integral to managing your employees and proactively protecting your company from security threats.
Worried about how secure your business is, or wondering if there is anything you can do to improve your security? Edge Networks can help! Schedule a call with us or take our free, self-guided IT Security Risk Assessment.