Poor Offboarding Leaves Organizations Open to Threats
A lot of talk these days centers around companies leaving money on the table by not maximizing cost savings, but more egregious in today’s risk-filled environment is leaving security on the table. That’s just what organizations are doing by not properly offboarding former employees; giving them plenty of opportunities to breach defenses and conduct malicious activities.
During the Great Resignation, with employees are quitting in droves, this oversight is particularly dangerous, leaving companies vulnerable to any number of security issues. And research from Beyond Identity found that former employees are taking advantage of their continued access to corporate resources. In fact, a whopping majority of former employees surveyed (83%) said they continued to access the accounts at their previous place of employment even after leaving the company. Nearly one-quarter hung on to a password well after they departed.
And organizations are feeling the consequences of their poor offboarding habits. Three-quarters of those surveyed said they were “negatively impacted by an employee breaching their digital security.” And, alarmingly, 56% of employees “used their continued digital access to harm their former employer,” the study said.
Leaving a job “is becoming more and more common these days, whether voluntarily as part of The Great Resignation, forcibly as part of pandemic-related layoffs, or somewhere in between,” according to a Beyond Identity blog post. “Consequently, employers are increasingly confronted with the issue of how to maintain cybersecurity amid mass staff departures.”
The survey polled more than 1,000 employers and employees from Ireland, the UK and the U.S., and it appears that many organizations are not doing the best job at maintaining cybersecurity during these departures. While 70% of employees surveyed said they underwent formal exit processes, “the offboarding process clearly requires a different approach in today’s unprecedented climate,” researchers at Beyond Identity said.
Offboarding was most likely to be handled by a supervisor (33%) or HR (31%) though in some cases, it fell to a coworker (13%). For half of the respondents, the process included returning company devices and less than that (41%) shepherded through returning security keys or tokens and wiping personal information or documents from company devices (40%).
Only a little over one-third were taken through the process for forwarding email (38%), completing an exit interview (36%) and/or deleting or resetting certain accounts (35%).
“Moving beyond the people involved and into the mechanics of the process, we found that, at best, only half of employers were taking even the most basic precautions for their company’s cybersecurity,” Beyond Identity researchers wrote.
After their employment ended, former workers still had access to an old email account (35%), work-related materials on a personal account (35%), social media (31%), a software account (31%), shared files or documents (31%) and an account with a third-party system (29%) as well as access to another employee’s account (27%), backend system (25%) or the company’s financial information (14%).
While U.K. employers did better at restricting continued access—only 67% retained access versus 87% in the U.S. and 88% in Ireland—the numbers still suggested an unacceptable and unnecessary level of risk.
Employees are maintaining contact information for former co-workers (33%) and saving conversations with them (31%). But perhaps more troubling, they’ve taken company ideas (27%), notes on work completed (25%), client contact information (25%), process-related documents (24%) and passwords (24%).
They are using that access to do a variety of things—from accessing social media accounts (36%), sifting through emails on company accounts, taking company documents (31%) and using a corporate account to gain access software (29%), among other activities.
“While some of these behaviors may seem harmless—perhaps an employee just wanted to stay in contact with a work friend—these are all examples of insider threats,” Beyond Identity researchers wrote. “The constant possibility of human error means that every time an employee logs onto the company network, they put their company’s digital security at risk.”
Beyond Identity recommends taking the following steps to counter insider threats:
- Verify code commits: Only let verified corporate identities commit source code.
- Set up strong security policies.
- Audit users. Who has authorized access to sensitive infrastructure? Do they still need the access they have? Remove inactive and dormant accounts now to save you from security headaches later.
- Be vigilant. While you’ll never have to worry about most employees, that doesn’t mean you should monitor the behaviors of your privileged users any less than you would an outside threat. Your capability to detect insider threats will be much higher if you trust no one.
- Implement zero-trust. By nature, a zero-trust network considers any connection a potential threat no matter its source and provides access to sensitive data on an as-needed basis. Transitioning from the castle and moat mentality of traditional IT security to one where no user or device is automatically trusted will significantly decrease insider risk.
- Use watch lists effectively. There will be users who require more monitoring from time to time, but if you’re not careful, these lists can bog down your IT department with needless work. Investigate and remove them from the list as soon as possible.
- Enlist the help of your users. Be sure to give your users an easy method through which to report suspicious activity. Educate employees on what to look for and what to report.
And, one more thing: Tighten up offboarding processes to reduce or eliminate threats from former employees. There’s really no excuse for not locking the door when employees leave under any circumstances.
