By Gerry Grant, Chief Security Officer.
One area of cyber security that is often overlooked is the management of new staff and those leaving a company. But it is vital that the on-boarding and off-boarding of employees is handled correctly and not just from a Human Resources point of view.
Let’s start with new employees. Most people will remember their first day at work. The meet and greet of new colleagues, a nice cup of coffee, a welcome from the boss and talking about our hopes for the new challenge ahead. This is quickly followed by being handed piles of policy and procedure documents to read and pointed to online training videos to watch. It’s likely that while quickly scanning and signing the documents and settling in for a long afternoon in front of the PC watching screeds of video footage, all that’s going through their mind is ‘what was that person in accounts called again?’ or ‘I can’t remember where the toilet is.’
The importance of IT policies and procedures is often overlooked. As is training on proper cyber security. It’s another check box, not just for the line manager, who is thinking of the mountain of work waiting for them, but also the new start who is desperate to get stuck into some ‘real’ work rather than all the preamble of training that they probably did at their last job. Afterall, IT policies and procedures are the same, everywhere aren’t they?
Well, they shouldn’t be. Your IT policies and procedures should be shaped to your organisation and take into account the uniqueness of your business and the threats that you may face. Getting staff to buy into and understand the WHY is vital.
Start as you mean to go on
Cyber security is about culture and it is far easier to embed that from the outset rather than fight to change old habits later. When someone new starts, how often do you find that not all of their accounts are set up in time? Humans being humans, this then leads quickly to people sharing accounts and passwords, ‘just to get them up and running’. That’s all very nice, just not for security. Clear lines of communication between the HR department, line manager and IT department would avoid this situation. The IT department need to know in plenty of time who the new employee is, what they need access to and when they start in the new position. HR and the line manager have the responsibility to check with IT that these things are all set up and ready to go before anyone new starts. HR and the line manager need to ensure that IT is available to talk through the policies and the importance of them. Nobody likes to be patronised, but sometimes it is important to cover the basics, especially around the creation of new passwords. Think about it, if someone was to put you on the spot and ask you to create a new password right now, would you be able to create a long strong, unique password? Now, they ask you to create another and another and another. Are they all going to be unique? Unlikely. Now introduce the added pressure of starting a new job and trying to appear keen and remember the multitude of information that is being thrown at you while your new boss stands over your shoulder. It doesn’t bode well for secure choices.
New recruits can be an easy target for criminals. Take, for example, CEO Fraud where the attacker pretends to be the boss of a company and asks an employee to do something they shouldn’t, like transfer funds or purchase vouchers for a ‘prize’. (https://www.fastcompany.com/90372829/im-a-hacker-and-heres-how-your-social-media-posts-help-me-break-into-your-company) These new employees are keen to be seen as helpful and may not fully understand the normal procedures, they almost certainly won’t spot any discrepancies in the language used between the attacker and the genuine CEO.
Leavers need to be planned for too
But it’s not just new employees that you should be worried about. What about when someone leaves your organisation? I’ll bet that most companies are pretty quick to make sure that leavers hand back the physical assets as soon as possible. You wouldn’t want them driving around in that company vehicle or having the key to the front door? There is probably a checklist that HR go through to make sure all these items are handed back in a timely fashion. But what about your digital assets? How quickly does the IT department switch off their email account or disable access to the shared drives? These things are just as vital as making sure that the ex-employee is handing in their old laptop.
According to a survey in 2017 nearly half of businesses say former employees have access to corporate accounts and 20% had experienced a data breach from former employees. (https://www.darkreading.com/vulnerabilities—threats/50–of-ex-employees-still-have-access-to-corporate-applications/d/d-id/1329370) There are plenty examples of individuals that have accessed company data after leaving the organisation. Like the former employee who wiped out his ex-companies’ business critical data that was stored on the cloud causing over half a million pounds of damage and the loss of some jobs. (https://www.welivesecurity.com/2019/03/28/man-jailed-destroying-exemployer-data/)
Again, communication between line managers, HR and IT is critical here. As soon as it is known that an employee is leaving, for whatever reason, then it is important that IT are told what access needs to be revoked and when. IT has a responsibility to ensure that that person’s account is deactivated and any shared passwords, like the WiFi password, are changed as soon as the persons employment ceases. All these things need to be added to the HR checklist to make sure they are actioned in a timely manner.
Make cyber security people-focused
It might seem a bit of overkill to some but thinking about these things could help protect your business for everyone. It’s about making cyber security people-focused and properly communicating the importance of policies and procedures. Like all things involving people, new processes take a while to bed in. So, the earlier you start the better.
To learn more about how Converged can help, get in touch.