How to Effectively Control Access During High Employee Turnover
“Fire at will!” In recent months, tech companies seem to have taken this line quite literally, with staff layoffs happening at a remarkable rate. The tech industry saw significant growth following the pandemic, triggering a hiring spree that came to a swift halt due to macroeconomics and market instability.
Although employee turnover is not unheard of in the tech industry, the 2023 outlook has been different. Interestingly, layoffs weren’t the first thing to hit the job market. The Great Resignation preceded the current news, where scores of employees quit their jobs for more lucrative roles and offers.
However, one thing remains constant whenever employee turnover happens – your risk profile. Regardless of the organization’s size, letting go of your employees adds a new threat to your security posture. This is why you need a robust strategy to better secure your secrets and prevent other confidential information from slipping out of your internal control.
In this article, we will review the condition of the current job market, security threats attributed to employee turnover, and the best practices for implementing stronger access control.
Where are we now with the rollercoaster tech jobs market?
Remember when we all feverishly debated what the “new normal” would look like in the post-pandemic world? Remote and hybrid working made the workplace an entirely strange concept. With restrictions, uncertainty, and economic instability on the horizon, everyone held on to their jobs dearly. Then, the shift happened.
As Texas A&M professor Anthony Koltz rightly put it, “When there’s uncertainty, people tend to stay put, so there are pent-up resignations that didn’t happen over the past year.” Over 71 million people quit their jobs between April 2021 and April 2022, according to the US Bureau of Labour Statistics. It led to a panic in the market, and tech companies launched a hiring spree to fill their vacant seats, leading to exponential salary growth and fierce competition for top tech talent.
It wasn’t just startups that burned through the investor money and were now cutting jobs to improve their financials. The Big 4 of the tech industry – Meta, Alphabet, Amazon, and Microsoft – accounted for 50,000 job cuts, while Twitter made the controversial move to release 50% of its staff. Economic instability, automation, and AI capabilities are cited as reasons for the mass layoffs. All in all, the tech industry has witnessed one of the most historic employee turnovers ever seen.
Meanwhile, the current circumstances are expected to cause catastrophic cyberthreats in the next two years, according to a 2023 survey by the World Economic Forum. As companies become more stringent with budgets and reduce discretionary spending, security could take a backseat at a time when it should be the priority.
Is cybersecurity the biggest victim in all this?
The cost of employee turnover goes beyond money. Almost every employee will have access to company secrets, and many are stored on personal devices in light of the remote working boom. This puts cybersecurity at absolute risk when employees part ways with an organization voluntarily or involuntarily. In particular, security challenges arise because of two key aspects of employee turnover.
Incompetent off-boarding processes
Departing from an organization always leaves a bad taste in the mouth. It becomes quite evident during the offboarding process, which could be a challenging affair regardless of how amicable the whole experience seems.
Your ex-employees – who might feel malicious – could still have access to your applications, network, and other cloud services, which significantly increases your attack surface. Even if they have redundant access to work emails and instant messaging spaces, they can still exploit social engineering attacks. Sounds improbable? Well, it happens more than you think. According to IBM’s Cost of Data Breach 2022 study, malicious insiders accounted for 8% of total cybersecurity attacks last year.
Regardless of how thorough your exit processes are, gaps are always possible. Most organizations don’t go beyond reclaiming IT assets. In fact, 48% of executives even recognized and accepted the deficiencies in their offboarding processes, according to YouGov’s 2022 State of Corporate Offboarding Process Automation report.
New folks bring in new challenges
While outgoing employees pose intentional and unintentional security risks, incoming employees make it a double whammy. As they’re not unaware of the organization’s security and compliance policies, they become easy targets for email phishing and other social engineering attacks. Also, giving newcomers access to your secrets is a tricky endeavor. It all boils down to “how much can you trust them just yet?” There’s always the option to authorize access in a phased manner, but its feasibility is subjective.
Intrinsic workplace setups create complex offboarding processes
Although the security threats because of employee turnovers aren’t likely to end any time soon, we might see an uptick due to changing circumstances. For example, the U.S. Federal Trade Commission plans to ban noncompete clauses imposed on employees. If it is abolished, your employees will be free to join your competitors. In simple words, it will be a cybersecurity nightmare.
In the current climate, companies need a cybersecurity-focused offboarding process to control access to sensitive information. But in reality, it is a rather dismal situation. A Beyond Identity survey found that only 9% of exiting employees met with an IT team as a part of their offboarding process, while only 41% were asked to return digital keys.
With workplaces becoming more intrinsic, featuring remote setups, hybrid models, and on-prem stations, access controls are tricky to manage. Employees will need uninterrupted access to whatever resources they need for their job and the access control must be reclaimed by the organization as swiftly as possible upon their exit. Any lapse in terminating access rights can cause data loss, data breaches, unused account billing, and breach of confidentiality. No matter how much you trust your ex-employees, the data says otherwise: a huge 60% of employees admitted to taking data “from job to job.”
Is there a “right” way to control access after onboarding?
Include IT protocols as part of the exit process
Design a rulebook on how IT privileges must be reclaimed once an employee decides to leave. Most organizations leave it until the employee steps out of the door to revoke access controls. However, you should ideally implement IT protocols at the moment when the departure is finalized.
Disable cloud account access immediately
As soon as an employee completes the exit interview in the case of remote work setup, their access to any IT resources and accounts, including work emails, must be revoked.
Implement an asset management system
Maintaining a list of all the assets that an employee handles is key. These assets can be hardware (laptop and pen drives), software, IT systems, and networks to ensure you always know who has access to what.
Implement a SIEM system
A SIEM (Security Information and Event Management) system will help you monitor your network and requests bouncing against it. If it receives any illegitimate authorization calls, they will be blocked instantly.
Optimize licenses and subscriptions
When an employee leaves, most of the licenses they had access to and subscriptions they used are left unattended. Even if former employees are not accessing them, you might be bleeding money in wasted spending. You should take over access to these accounts and assign the resources to someone else.
Limit file sharing and email forwarding
Often, employees send important information to their personal email IDs from the work email. You can prevent them from transferring files relating to their specific career and job particulars, and set up filters to block email forwards that contain critical business data.
Make exit interviews part of security screening
Every organization has a policy-mandated set of questions to be asked during an exit interview. It is essential to include a few queries that revolve around the technical aspects of their work, like platforms they used, subscriptions they depended on, and so on. This way, you can get a checklist to evaluate access control.
Building trust in the age of employee turnover
Let’s face it, the recent tech industry turbulence has made extremely high employee turnovers commonplace now. With the consistent shift that global markets are witnessing, employees quitting or being terminated will continue. While picking the right access control methodology is critical, no system is ever fully secure. Although employees departing an organization is sometimes a harsh blow to fathom, the added threat of security risks can push leadership into paranoia. Such fear will only breed discontentment among rank and file.
Besides ensuring the offboarding process is as cordial and courteous as possible, irrespective of who initiated the breakup, you must be pragmatic in closing the cracks within your security posture by revoking access controls entirely. Moreover, regular auditing and continuous monitoring will ensure robust cybersecurity.
Dotan Nahum is the Head of Developer-First Security at Check Point Software Technologies. Dotan was the co-founder and CEO at Spectralops, which was acquired by Check Point Software, and now is the Head of Developer-First Security. Dotan is an experienced hands-on technological guru & code ninja. Major open-source contributor. High expertise with React, Node.js, Go, React Native, distributed systems and infrastructure (Hadoop, Spark, Docker, AWS, etc.). https://www.checkpoint.com/