Careers & People
6/5/2017
08:00 AM
Greg Kushto
Greg Kushto
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Securely Managing Employee Turnover: 3 Tips

Don't let the process spiral into organizational chaos. Here are steps you can take to keep your company safe.

Sometimes it's mutual, other times it's not. Either way, it's inevitable: employees — entry-level and executive alike — come and go. Unfortunately, we often overlook the risks and vulnerabilities that employee turnover can introduce, particularly from an IT security standpoint.

Although disgruntled employees and whistleblowers raise the most alarm, don't be naive: not every outbound worker is an Edward Snowden or a Chelsea Manning, and risks aren't limited to bad intentions. Even people who leave on the best of terms can cause problems.

Consider, for instance, an employee who takes copies of a report he wrote, believing it might be of value to his professional portfolio. Two years later, he's looking for a new position and, with no sense of malice whatsoever, shares that portfolio during the interview process. Unfortunately, that document also happens to contain highly sensitive information — and the organization where he's interviewing happens to be a major competitor. It's all too common: an estimated 60% of employees admit to taking corporate data when they leave an organization.

Of course, that's just one example of what could go wrong: There are countless more. That's why organizations need a comprehensive, exhaustive strategy to manage employee exits. Let's look at some ways to prevent employee turnover from spiraling into organizational crisis.

Tip 1: Access Should Be Discussed and Planned ASAP
The moment someone submits a resignation letter, there should be immediate action. In theory, everyone knows this. Unfortunately, too few organizations have a cohesive, documented strategy for dealing with the problem in all its variations.

It's not just a matter of immediately removing access — nor is that always practical. If you fire someone, sure, lock down his or her accounts and change the passwords. But what about an employee who is simply transitioning from full-time to a consulting role with the organization? That person may need some access.

Taking effective action before someone leaves requires collaborative, preemptive effort and planning from multiple departments or teams. Business leaders should sit down with IT and HR staff to determine not only who notifies the appropriate parties that someone is leaving but also who's responsible for modifying that person's access and when.

Tip 2: If You're Not Immediately Removing Access, Start Tracking Activity
Once organizations know someone is leaving, they should begin tracking the employee's behavior until his or her departure, right up until access is denied. Take care to review any recent network activity even before that person handed in a resignation, when he or she was less likely to be monitored for suspicious activity. Many people will copy files and emails and take work they feel entitled to before they hand in their notice. After all, at the end of the day we're human beings who, after investing so much time and effort in our work, don't want to relinquish our rights to it.

Check out the all-star panels at the 'Understanding Cyber Attackers & Cyber Threats' event June 21 and get an in-depth look at your cyber adversaries. Click here to register. 

Effective behavior tracking requires your IT and security operations teams to prioritize monitoring the individual's actions — which they can't do until they know the person is leaving. If necessary, IT staff can categorize a user's activities so that behaviors typically deemed low-risk receive more attention.

If possible, look as far back as your resources allow. Accomplishing this requires the ability to look back and track specific downloads and file types by user. Fortunately, many organizations already have the tools to do this.

If data lives in the cloud, organizations should consider investing in a cloud access security broker or next-generation firewall. If not, network anomaly detection is another alternative.

Tip 3: Inform Employees of Their Access
Looking down from the top, organizational leaders often may not realize the extent of their employees' access — including whether they have access to data they shouldn't. And, of course, no matter what restrictions you put in place, human beings inevitably find their way around network restrictions if they think it will make things faster and easier.

Ultimately, you should know every employee's access level well before that resignation letter drops. This requires sitting down with individuals or teams to understand their duties and responsibilities — along with what kind of data they need to fulfill them. A paper checklist isn't enough: you need a face-to-face, deep-dive meeting to gauge access, system usage, and, most importantly, whether the individual is doing anything outside the job description.

Without this, organizations will never have a full understanding of how employees use the network and which parts they use, including those employees with one foot out the door. Consequently, whenever employees leave, those responsible for cleaning up will again and again find themselves scrambling to figure out where their access needs to be cut, while simultaneously looking for theoretical warning signs — a time-consuming and, without a solid strategy, often fruitless task.

In short, managing the exit of employees doesn't just happen. It requires a collaborative, organization-wide plan with the right processes and systems in place and ready for action. The alternative is a chaotic, last-minute scramble requiring significant effort and reduced productivity for those left behind to pick up the pieces.

Related Content:

Greg Kushto joined Force 3 in 2014 and is the senior director of security and solutions engineering. In this role, he is responsible for creating comprehensive security solutions for Force 3's client base within both the public and private sector, and ensuring that customers ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
6/6/2017 | 4:18:54 PM
too little too late
I would argue that if an organization worries about resigning employees' access to systems, apps and data they missed the point.  They should worry about any employees, contractors, customers or partners' access to sensitive data at any time and especially during the Joiner/Mover/Leaver lifecyle events. That is why idenity management is so much in demand right now, firewalls, including next-gen firewalls, will be of little help compared to the governance and control of an IGA solution.
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.