Now that the holiday season is over and retailers are letting their temporary workers go, IT and cybersecurity teams need to work with legal and human resources staffers to ensure that workers are offboarded properly. Failure to do so could leave retailers' intellectual property and consumers' personal information vulnerable to bad actors, sources say.
In a new survey from Beyond Identity, 53% of employee respondents admitted using their access to harm their former employers, and 74% of business leaders reported suffering damages from former employees exploiting their digital access. One of the greatest cybersecurity risks that retailers face is temporary workers leaving the company with intellectual property or consumers' personally identifiable information, says Brian Wrozek, a CISO at Optiv.
"For the retailer, you have the issues of privacy regulations. They may be forced to disclose that client information is out there [and] is no longer being protected," Wrozek says. "You also have potential contractual liabilities, depending on the information that may be on those USB drives. They may have contracts with their suppliers or their partners, and they may be in breach of those contracts as well."
Human Resources at Risk
For many retailers, potential risks arise before IT and cybersecurity teams can onboard new hires. In the rush to hire temporary employees, HR teams may fail to properly vet candidates, says Dan Leyman, a senior security manager with Capgemini. Therefore, they may not know which employees have a criminal record or a computer programming background, he says.
In addition to not screening employees thoroughly, companies may fail to properly train employees on what systems and networks are acceptable for them to access, or how to spot and alert management if fellow employees pose cybersecurity threats, Leyman adds. During employee onboarding training, workers should be told what information they are and are not allowed to access, as well as how to spot insider threats, he says.
"One of the best ways to prevent and mitigate insider risk is through that awareness training," Leyman says.
Looking for signs of inappropriate activity from temporary workers can be difficult because their digital activity is more unpredictable than full-time employees, Leyman says. Though IT teams can see the files and systems full-time workers typically access, temporary workers' responsibilities may change, meaning that IT teams might not immediately recognize when temporary workers are accessing files beyond their assigned duties, he says.
To keep tabs on the soon-to-be-offboarded temporary workers, retailers' IT teams should maintain communication with the human resources department, the finance department, and other stakeholders to track when workers will leave, Leyman says. Ideally, IT teams can automate that communication between the HR and IT teams so they can increase their monitoring prior to temporary hires' departure, he adds.
"There are software capabilities out there that can help tie those events together. If HR enters a date that so-and-so is going to be leaving, that notification also goes to IT automatically, so that IT knows that's going to happen and can increase their monitoring and plan for that event," Leyman says.
What IT Teams Can Do
Leyman recommends IT teams increase their monitoring of temporary workers' activity about 30 to 60 days before they leave. For temporary workers who are only on staff for a few weeks, IT and cybersecurity teams should monitor them closely throughout their tenure, he says.
In addition to training temporary workers and notifying them that they are being monitored, retailers' IT teams can also use full-time employees as a baseline to measure potentially nefarious activity among temporary workers who are on staff for a brief period, Leyman says. Doing so may lead to more false alarms, but it will ultimately strengthen the protection of the retailers' assets, systems, networks, and data, he says.
"What we find very frequently is employers and organizations that don't do that set themselves up for having that employee access the system and networks after they've left and either cause damage to the systems or networks for whatever reason, whether it's a malicious intent or what have you, or take that sensitive information from the employer," Leyman says.
While retailers conducting threat modeling typically focus on prior risks, such as point-of-sale fraud, it's critical for IT teams to think through unforeseen threats, like temporary workers adding digital backdoors that they can access once they leave, Wrozek says.
To find backdoors left behind by temporary workers, Wrozek recommends looking for once-dormant accounts that have been revived, systems where the security protocols appear to be deactivated, or software and systems that have been altered or deployed beyond their typical release procedures. IT and cybersecurity teams should also monitor outbound traffic and security information and event management (SIEM) event logs after an offloading, he says, or search for signs of data leaving unexpectedly. Retailers can also hire third-party firms to conduct an internal breach assessment or red-team exercise to find breach indicators, he adds.
Even if retailers' IT and cybersecurity teams have automatically disabled contractor accounts, they should also periodically double-check to make sure those accounts are actually disabled, Wrozek says. It's wise for IT departments to automatically schedule temporary workers' accounts to disable every three months, six months, or annually, just in case managers forget to place a request. Doing so could limit how long the company could be exposed to potentially unauthorized activity, he says.
HR teams should be flagging non-employee records or the procurement database to denote that they are a contractor, temporary worker, etc., Wrozek says. Using that database, retailers' IT and cybersecurity teams can create manual or automated procedures to set a timeout limit on temporary workers accounts or run periodic reports, he says. Once HR teams set up temporary workers with their necessary credentials, IT and cybersecurity teams should step in to automate the auditing process, he adds.
Automating Access Where Possible
IT teams need to automate as much of the offboarding process as possible, which could be challenging if temporary workers have access to multiple software-as-a-service, cloud-related applications, Wrozek says.
"Sometimes those may not be integrated into your more traditional on-premises applications, so they might get missed," Wrozek says. "You think an employee has been removed, but they may still have direct access to an Amazon or Microsoft cloud application. Those are concerns that we're hearing. 'How do I automate and take all of this into account and make sure that we're covered?'"
Most identity and access management (IAM) solutions and privileged account management (PAM) tools, such as Okta and SailPoint, have account provisioning and deprovisioning built into their process, but IT teams must make sure this automation is working properly. This is why audits are crucial, Wrozek says.
Temporary workers' duties may shift during their time at the company, so IT teams also need to track and revoke access from systems that short-term hires will no longer need, Leyman says. If retailers have temporary workers with access to shared or group accounts, such as administrator or automation accounts, they'll need to change the password and cross-check how well those applications are protected, Wrozek adds.
How retailers execute their threat mitigation efforts varies based on their size. Larger retailers are likely to have more mature IT and cybersecurity teams and protocols and can check on their automation tools and alerts more frequently, but smaller companies may have only one or two people to monitor cybersecurity threats, Wrozek says. Though some executives may view cybersecurity software as another expense, meetings between IT and cybersecurity teams and other departments could advocate for more investment, Leyman adds.
"They may not have the funding that they need to purchase that software, but stakeholder meetings are a viable alternative to create those relationships and that information flow," Leyman says.