Question: How can you keep your SaaS applications secure in the face of employee turnover?
Noam Shaar, CEO and Co-Founder of Wing Security: In short, you need the right tools.
The fluidity of today's workforce and the accelerated pace at which people change jobs creates new cybersecurity challenges for companies. The average worker in the United States will work for 12 employers over their career, with the typical tenure just over four years. Each employee who exits will leave a trail of external access points that create potential vulnerabilities.
When employees switch companies and roles, access points are left open. Bad actors can use this access to infiltrate networks and steal valuable assets, including proprietary information and financial data. According to a poll from OneLogin, an identity management firm, nearly one-quarter of IT decision-makers said a failure to deprovision employees from corporate applications contributed to a data breach. Of those, 47% said more than 10% of all data breaches resulted from ex-employees.
Organizations likely have multiple exposed accounts that can provide entry points for malicious activity. In one high-profile case, a former engineer at Cisco was sentenced to two years in prison for compromising the company's network after he left, deleting thousands of Webex accounts. This, of course, is just one of the known incidents.
While many software-as-a-service (SaaS) applications offer built-in security controls, businesses should not assume they remain secure because they come from a big-name vendor. Threat actors often conspire or sell attack methods to break into these systems, or they will take advantage of organizations they already can access.
A SaaS security solution can help security teams understand who uses all of these applications and make sure the apps and usage are both secure. This not only strengthens overall security, it can quickly show gaps often left by offboarding. Best practices include:
- Use tools to watch for inconsistencies. Multiple products being used by a large number of people often reveals a pattern of use. When behavior steps out from that norm, it is often a sign that something is amiss. Leverage a tool that can monitor this behavior and alert your team when necessary.
- Weed your garden. It's critical to mitigate risks by getting rid of unaccessed apps — there's no use for them, and they create a potential opening. When it comes to apps, the company motto should be, "If they're not being used, we probably don't need them."
- Automate offboarding tasks where possible. HR staff must keep tight rein during employee offboarding. One important task is notifying the technology team to discontinue access, which can easily be automated with a security and monitoring solution. While HR members still will want to notify technology leaders, having safeguards in place can eliminate gaps just in case that process gets overlooked.
SaaS applications have improved efficiency and expanded remote work capability, but employees no longer want to spend their entire careers with a single company. The rising number of applications and rate of turnover has increased risk. This risk can be managed with the correct tools and processes, but too many organizations have yet to change their mindset.