Santa’s Helper: A Cybercriminal’s Best Friend

He’s a phony.  He’s a fake.  He pretends he’s someone that he’s not.  He hangs out in public places…the mall…department stores…festivals & parties…even the zoo.  Why?  Because he gets paid to talk about toys with children.  Gets paid to listen to kids as they share their secret wishes.  All while his pointy-eared accomplice takes photo after photo of the whole affair.

In short, the Mall Santa is a problem (albeit a jolly one). But not in the way you’d think…

Santa Claus is a ho-ho-huuuuuge cybersecurity risk.

That’s right; you heard it here first.  Santa Claus is, after all, the most famous seasonal employee of all time.

Organizations across most industries hire seasonal help.  During the holidays, retailers, shipment carriers, warehouses, and more hire hundreds of thousands of people to help with the rush.  It’s not just the holiday season either.  In the new year, industries such as fitness & wellness, call centers, and tax services see a rapid influx of seasonal hires as well.  Over the summer, the tourist industry, theme parks, and resorts hire seasonal staff to help with their rush.

There are many reasons why a company must quickly bring on a diverse population of workers to help during those busy times.  In fact, in 2021 alone, U.S. seasonal job postings reached a record of almost 1 million.  While it’s incredibly helpful to have that on-demand help, these seasonal workers introduce identity challenges when it comes to their onboarding, the access they receive, and their offboarding.

Not unlike most extended enterprise relationships, the biggest pain point for organizations is to get these seasonal workers onboarded and working as quickly as possible. That onboarding process includes gathering their personal data, identity proofing, and providing them with access to what they need to be productive for the duration of their employment.  Whether that’s a point-of-sale system, work orders, shipment tracking, customer data, or other systems, onboarding seasonal employees quickly is vital so they can add value and contribute to the success of the business.

The effort to rapidly onboard seasonal staff can be so intense that some organizations hire seasonal help just to manage their seasonal help!  Unfortunately, the tedium of the onboarding process leads to significant challenges from an identity, access, and risk perspective.

The top 3 seasonal staff challenges that are on the naughty list include:

Identity Proofing: Rarely is anything done to ensure that these individuals are worthy of access. In fact, just over half (53%) of organizations are identity proofing and verifying third-party individuals and organizations before granting them access to company assets! Identity proofing is the first line of defense against today’s attacks on the identity perimeter.  Even when organizations do assess risk levels, it needs to be done on an individual level.  Too often, organizations will assign all seasonal staff with the same risk rating, but shouldn’t the college student who’s being brought in for three weeks be considered lower risk than an engineering specialist filling a yearlong gap on a critical project?

Revalidation: Action isn’t taken to ensure access is updated as a seasonal worker’s relationship with the organization changes.  Often a seasonal worker will show promise and be added as a part-time or full-time employee.  Or organizational priorities will shift, and seasonal staff is moved to a different project that requires a different level of access.  These important changes, however, often go undocumented and leave organizations with little clarity about who has access to what, and why.  Audits become manual and painful processes, especially when there’s no centralized identity authority of information.  It’s a challenge to remain efficient and secure when the relationship and/or employment status of a seasonal staff worker isn’t properly documented.

Termination: Seasonal help is often forgotten when it comes to offboarding.  Many managers are so entrenched in their day-to-day work that they fail to take necessary steps to offboard these workers at the right time. An alarming 55% of respondents fail to deactivate third-party workers who no longer qualify to perform duties. Access to data and systems for high-risk populations such as seasonal staff often extend beyond project assignments or contract employment with an organization. This is the equivalent of keeping the doors and windows unlocked beyond Christmas Eve, and then getting surprised when you’re visited by more than just old Saint Nick.

Because of these challenges, organizations become more vulnerable to a breach.  The more unnecessary and inappropriate access that is granted to and persists for seasonal workers, the broader the attack surface comes for an organization.  And remember…most breaches can be attributed to third-party access.  According to a recent report by PWC, more than 50% of all data breaches can be attributed to a third party (i.e., seasonal staff, contractors, vendors, supply chain partners, consultants, etc.). The numbers are much higher for companies who have an ad-hoc and manual way of managing identity and access management for third parties.

There’s no doubt it’s important to get seasonal staff’s identity and access management done correctly, yet rarely do organizations prioritize it. 84% of all IT security incidents come at the hands of poor identity security hygiene. Over four in five organizations have experienced an identity-related breach in the past year, highlighting a dangerous gap in enterprise cyber security protection.  Not taking your organization’s extended enterprise identity protocols seriously is an easy way for your organization to get on Santa’s naughty list!

SecZetta has helped organizations who utilize seasonal hires by automating the onboarding process, improving identity data flow, and enforcing proactive maintenance of seasonal worker identity data so you can trust who has access, why they have access, and when they have access is accurate.  To read more about seasonal identity management challenges, read SecZetta’s Seasonal Staff Identity Risk Solution Brief.