Organisations face an ongoing process of incoming and outgoing staff members and its not an unusual issue to be dealt with. However, when an employee from a security department leaves the firm, whether due to a better opportunity, being fired, retiring after 40 years or any other reason, there is always a higher risk of security vulnerability.
A transitioning employee, particularly one with privileged access, could maliciously use their company's passwords, encryption keys, and other sensitive data, after they leave, whether for their own or a less scrupulous future employer's benefit. Whereas, to ensure employee loyalty and conformance to company rules, the company should implement appropriate policies and enforcement from the very first day of employee recruitment.
Monitoring of security staff actions needs to be something staff know that they have signed up to on joining, and whenever it changes, to ensure your organisation is not in breach of data protection and anti-surveillance policies of the jurisdiction in which you work. Being unprepared could create hassle and a complicated security situation for the organisation as well as result in employee resentment.
Also most companies ignore insider threats and focus on external cyber-security threats which creates security loopholes. Therefore, a company should take measures to ensure a safe employee transition without the risk of potential intrusions.
Ways to reduce vulnerability risks at the time of employee transition
The initial step of an employee transition should commence with carrying out an expedient access check. It is necessary to carry out a proper review that can expose all the access permissions granted to the leaving employee.
Once the access has been identified it should be terminated with resetting all the passwords linked to those accounts. Also, the passwords could be transferred to an employee still working for the organisation. An important aspect that should not be ignored while dealing with accessed passwords is the potential sharing of these key codes by the transitioning employee. Most of the times employees share their passwords with working colleagues is to handle to a sudden emergency that could happen in their absence due to vacations, routine absenteeism or other reasons.
An efficient solution to reduce insider risk is use of a centrally managed password repository that could be maintained through a password manager. A centrally controlled vault could be used to deposit all the login credentials from where access could be granted to the employees according to their job responsibilities. The technique provides an easy way to monitor the employee access through a dashboard display. Therefore, it would be a small task to report on the applications accessed by an employee when he/she is leaving the organisation.
It could cater for issuing of the password being shown in plain text while it is shared by the users and it would allow the users to launch a direct connection to the site/application without seeing the password.
Centrally managed employee accounts
Centrally managed accounts are a way to ensure account security soon after an employee decides to leave the company. Critical documentation should be simplified, especially when dealing with sensitive accounts such as company credit cards, remote access accounts, server administration accounts, network logins, voicemail accounts and workstation user accounts.
Such accounts carry important details to which, if exploited criminally, could cause immense loss to the organisation. Therefore, such accounts should be deactivated as soon as possible.
But also remember that restoring through propoer backup procedures before employee transition could restore the employee's remote access, user and administrative accounts.
Employees working in an organisation should be carefully monitored and their actions recorded through detailed documentation. Regular tracking of an employee's routine activities could simplify the transition process as you could transfer remaining or incomplete projects to the other employees. But the important thing to consider here is that an employee may alter the important data or files prior to leaving the job.
Therefore, having a complete record for an individual from day one could guard you against any vulnerability or malicious intent that could harm your organisation.
Shaping incident response can become really easy if your organisation has a proper logging system. However, security compromises due to inadequate record procedures are a great setback for organisations when an employee is retiring from the firm.
Proper logging facilitates enable a firm to track an employee's behaviour or malicious activity in real time without a hectic, prolonged workout. A passive logging server is worth considering for this purpose, capable of “listening in” to network traffic and able to log data for the server without particularly identifying the server as the logged data's destination.
Organisations without such resources can eliminate the risk of any furtive activity through active and direct logging to systems outside the authorised access responsibilities of a given employee.
Pre-planned incident policy
Many organisations face data breaches due to inefficient or completel absence of any incident policy to avoid vulnerability exploitation by departing staff. Similarly, an incident action plan for employment transition is required not just for business continuity but also to ensure appropriate security against future intrusions.
Departing employees is an issue not often considered as potentially affecting a company's cyber-security. However, insider threat is one of the major contributors to cyber-attacks and data breaches, and it particularly applies when an employee leaves while maliciously keeping sensitive data including passwords, key codes, etc.
But a pre-planned policy with on time implementation could reduce insider threats and vulnerability exploitation when an individual leaves the company.
Contributed by Peter Buttler, Information security journalist.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.