Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

6/5/2017
08:00 AM
Greg Kushto
Greg Kushto
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Securely Managing Employee Turnover: 3 Tips

Don't let the process spiral into organizational chaos. Here are steps you can take to keep your company safe.

Sometimes it's mutual, other times it's not. Either way, it's inevitable: employees — entry-level and executive alike — come and go. Unfortunately, we often overlook the risks and vulnerabilities that employee turnover can introduce, particularly from an IT security standpoint.

Although disgruntled employees and whistleblowers raise the most alarm, don't be naive: not every outbound worker is an Edward Snowden or a Chelsea Manning, and risks aren't limited to bad intentions. Even people who leave on the best of terms can cause problems.

Consider, for instance, an employee who takes copies of a report he wrote, believing it might be of value to his professional portfolio. Two years later, he's looking for a new position and, with no sense of malice whatsoever, shares that portfolio during the interview process. Unfortunately, that document also happens to contain highly sensitive information — and the organization where he's interviewing happens to be a major competitor. It's all too common: an estimated 60% of employees admit to taking corporate data when they leave an organization.

Of course, that's just one example of what could go wrong: There are countless more. That's why organizations need a comprehensive, exhaustive strategy to manage employee exits. Let's look at some ways to prevent employee turnover from spiraling into organizational crisis.

Tip 1: Access Should Be Discussed and Planned ASAP
The moment someone submits a resignation letter, there should be immediate action. In theory, everyone knows this. Unfortunately, too few organizations have a cohesive, documented strategy for dealing with the problem in all its variations.

It's not just a matter of immediately removing access — nor is that always practical. If you fire someone, sure, lock down his or her accounts and change the passwords. But what about an employee who is simply transitioning from full-time to a consulting role with the organization? That person may need some access.

Taking effective action before someone leaves requires collaborative, preemptive effort and planning from multiple departments or teams. Business leaders should sit down with IT and HR staff to determine not only who notifies the appropriate parties that someone is leaving but also who's responsible for modifying that person's access and when.

Tip 2: If You're Not Immediately Removing Access, Start Tracking Activity
Once organizations know someone is leaving, they should begin tracking the employee's behavior until his or her departure, right up until access is denied. Take care to review any recent network activity even before that person handed in a resignation, when he or she was less likely to be monitored for suspicious activity. Many people will copy files and emails and take work they feel entitled to before they hand in their notice. After all, at the end of the day we're human beings who, after investing so much time and effort in our work, don't want to relinquish our rights to it.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Effective behavior tracking requires your IT and security operations teams to prioritize monitoring the individual's actions — which they can't do until they know the person is leaving. If necessary, IT staff can categorize a user's activities so that behaviors typically deemed low-risk receive more attention.

If possible, look as far back as your resources allow. Accomplishing this requires the ability to look back and track specific downloads and file types by user. Fortunately, many organizations already have the tools to do this.

If data lives in the cloud, organizations should consider investing in a cloud access security broker or next-generation firewall. If not, network anomaly detection is another alternative.

Tip 3: Inform Employees of Their Access
Looking down from the top, organizational leaders often may not realize the extent of their employees' access — including whether they have access to data they shouldn't. And, of course, no matter what restrictions you put in place, human beings inevitably find their way around network restrictions if they think it will make things faster and easier.

Ultimately, you should know every employee's access level well before that resignation letter drops. This requires sitting down with individuals or teams to understand their duties and responsibilities — along with what kind of data they need to fulfill them. A paper checklist isn't enough: you need a face-to-face, deep-dive meeting to gauge access, system usage, and, most importantly, whether the individual is doing anything outside the job description.

Without this, organizations will never have a full understanding of how employees use the network and which parts they use, including those employees with one foot out the door. Consequently, whenever employees leave, those responsible for cleaning up will again and again find themselves scrambling to figure out where their access needs to be cut, while simultaneously looking for theoretical warning signs — a time-consuming and, without a solid strategy, often fruitless task.

In short, managing the exit of employees doesn't just happen. It requires a collaborative, organization-wide plan with the right processes and systems in place and ready for action. The alternative is a chaotic, last-minute scramble requiring significant effort and reduced productivity for those left behind to pick up the pieces.

Related Content:

Greg Kushto joined Force 3 in 2014 and is the Vice President of Sales Engineering. In this role, he is responsible for creating comprehensive security solutions for Force 3's client base within both the public and private sector, and ensuring that customers properly align ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
6/6/2017 | 4:18:54 PM
too little too late
I would argue that if an organization worries about resigning employees' access to systems, apps and data they missed the point.  They should worry about any employees, contractors, customers or partners' access to sensitive data at any time and especially during the Joiner/Mover/Leaver lifecyle events. That is why idenity management is so much in demand right now, firewalls, including next-gen firewalls, will be of little help compared to the governance and control of an IGA solution.
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10100
PUBLISHED: 2019-07-16
NASA CFITSIO prior to 3.43 is affected by: Buffer Overflow. The impact is: arbitrary code execution. The component is: over 40 source code files were changed. The attack vector is: remote unauthenticated attacker. The fixed version is: 3.43.
CVE-2019-10100
PUBLISHED: 2019-07-16
BigTree-CMS commit b2eff67e45b90ca26a62e971e8f0d5d0d70f23e6 and earlier is affected by: Improper Neutralization of Script-Related HTML Tags in a Web Page. The impact is: Any Javascript code can be executed. The component is: users management page. The attack vector is: Insert payload into users' pro...
CVE-2019-10100
PUBLISHED: 2019-07-16
PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload of File with Dangerous Type. The impact is: get webshell. The component is: data/inc/images.php line36. The attack vector is: modify the MIME TYPE on HTTP request to upload a php file. The fixed version is: after commit 09f0ab871...
CVE-2019-13612
PUBLISHED: 2019-07-16
MDaemon Email Server 19 skips SpamAssassin checks by default for e-mail messages larger than 2 MB (and limits checks to 10 MB even with special configuration), which is arguably inconsistent with currently popular message sizes. This might interfere with risk management for malicious e-mail, if a cu...
CVE-2019-10100
PUBLISHED: 2019-07-16
Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting (XSS) - CWE-80. The impact is: Execute java script code on users browser. The component is: web app. The attack vector is: the victim must open a ticket. The fixed version is: 2.3.1, 2.2.2 and 2.1.3.