Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

6/5/2017
08:00 AM
Greg Kushto
Greg Kushto
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Securely Managing Employee Turnover: 3 Tips

Don't let the process spiral into organizational chaos. Here are steps you can take to keep your company safe.

Sometimes it's mutual, other times it's not. Either way, it's inevitable: employees — entry-level and executive alike — come and go. Unfortunately, we often overlook the risks and vulnerabilities that employee turnover can introduce, particularly from an IT security standpoint.

Although disgruntled employees and whistleblowers raise the most alarm, don't be naive: not every outbound worker is an Edward Snowden or a Chelsea Manning, and risks aren't limited to bad intentions. Even people who leave on the best of terms can cause problems.

Consider, for instance, an employee who takes copies of a report he wrote, believing it might be of value to his professional portfolio. Two years later, he's looking for a new position and, with no sense of malice whatsoever, shares that portfolio during the interview process. Unfortunately, that document also happens to contain highly sensitive information — and the organization where he's interviewing happens to be a major competitor. It's all too common: an estimated 60% of employees admit to taking corporate data when they leave an organization.

Of course, that's just one example of what could go wrong: There are countless more. That's why organizations need a comprehensive, exhaustive strategy to manage employee exits. Let's look at some ways to prevent employee turnover from spiraling into organizational crisis.

Tip 1: Access Should Be Discussed and Planned ASAP
The moment someone submits a resignation letter, there should be immediate action. In theory, everyone knows this. Unfortunately, too few organizations have a cohesive, documented strategy for dealing with the problem in all its variations.

It's not just a matter of immediately removing access — nor is that always practical. If you fire someone, sure, lock down his or her accounts and change the passwords. But what about an employee who is simply transitioning from full-time to a consulting role with the organization? That person may need some access.

Taking effective action before someone leaves requires collaborative, preemptive effort and planning from multiple departments or teams. Business leaders should sit down with IT and HR staff to determine not only who notifies the appropriate parties that someone is leaving but also who's responsible for modifying that person's access and when.

Tip 2: If You're Not Immediately Removing Access, Start Tracking Activity
Once organizations know someone is leaving, they should begin tracking the employee's behavior until his or her departure, right up until access is denied. Take care to review any recent network activity even before that person handed in a resignation, when he or she was less likely to be monitored for suspicious activity. Many people will copy files and emails and take work they feel entitled to before they hand in their notice. After all, at the end of the day we're human beings who, after investing so much time and effort in our work, don't want to relinquish our rights to it.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Effective behavior tracking requires your IT and security operations teams to prioritize monitoring the individual's actions — which they can't do until they know the person is leaving. If necessary, IT staff can categorize a user's activities so that behaviors typically deemed low-risk receive more attention.

If possible, look as far back as your resources allow. Accomplishing this requires the ability to look back and track specific downloads and file types by user. Fortunately, many organizations already have the tools to do this.

If data lives in the cloud, organizations should consider investing in a cloud access security broker or next-generation firewall. If not, network anomaly detection is another alternative.

Tip 3: Inform Employees of Their Access
Looking down from the top, organizational leaders often may not realize the extent of their employees' access — including whether they have access to data they shouldn't. And, of course, no matter what restrictions you put in place, human beings inevitably find their way around network restrictions if they think it will make things faster and easier.

Ultimately, you should know every employee's access level well before that resignation letter drops. This requires sitting down with individuals or teams to understand their duties and responsibilities — along with what kind of data they need to fulfill them. A paper checklist isn't enough: you need a face-to-face, deep-dive meeting to gauge access, system usage, and, most importantly, whether the individual is doing anything outside the job description.

Without this, organizations will never have a full understanding of how employees use the network and which parts they use, including those employees with one foot out the door. Consequently, whenever employees leave, those responsible for cleaning up will again and again find themselves scrambling to figure out where their access needs to be cut, while simultaneously looking for theoretical warning signs — a time-consuming and, without a solid strategy, often fruitless task.

In short, managing the exit of employees doesn't just happen. It requires a collaborative, organization-wide plan with the right processes and systems in place and ready for action. The alternative is a chaotic, last-minute scramble requiring significant effort and reduced productivity for those left behind to pick up the pieces.

Related Content:

Greg Kushto joined Force 3 in 2014 and is the Vice President of Sales Engineering. In this role, he is responsible for creating comprehensive security solutions for Force 3's client base within both the public and private sector, and ensuring that customers properly align ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
6/6/2017 | 4:18:54 PM
too little too late
I would argue that if an organization worries about resigning employees' access to systems, apps and data they missed the point.  They should worry about any employees, contractors, customers or partners' access to sensitive data at any time and especially during the Joiner/Mover/Leaver lifecyle events. That is why idenity management is so much in demand right now, firewalls, including next-gen firewalls, will be of little help compared to the governance and control of an IGA solution.
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19037
PUBLISHED: 2019-11-21
ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be zero.
CVE-2019-19036
PUBLISHED: 2019-11-21
btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 allows a NULL pointer dereference because rcu_dereference(root->node) can be zero.
CVE-2019-19039
PUBLISHED: 2019-11-21
__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program.
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.