WHAT:Courion Corporation, leaders in access governance, provisioning, and compliance, has released its "five golden rules" - a set of best-practice-based guidelines for enterprises to reduce the security risk posed by temporary workers hired during the holiday season. Inadequate access controls for seasonal employees can lead to significant financial and brand damage for organizations and their customers, as was seen in the recent case of the temporary AT&T worker who stole the social security numbers of 2,100 co-workers and took out loans totaling more than $70,000 in their names or the Bank of New York temp that siphoned $1M from customers by setting up "dummy" bank accounts.
DETAILS: A CareerBuilder survey found that nearly one in five companies plan to hire temporary employees in Q4 2009 to meet the holiday rush, and 25% of these employers will add more than 50 workers. Additionally, Fedex and UPS announced they will hire 64,000 temporary employees to meet increased shipping needs this holiday season. As companies take on these additional temporary workers, it is imperative that they apply and enforce stringent Access Assurance policies across all three phases of the employment period - time of hire, duration of employment, and contract completion - to help ensure protection of confidential company and customer information.
Ironically, many enterprises do not have dedicated security policies and controls for temporary workers, due to IT staff capacity limitations or the misguided belief that short-term workers "don't have enough time" to be dangerous. Courion recommends that enterprises address this gaping hole in their security armor by adopting its "Five Golden Rules" for Access Assurance, which includes:
1. Clearly defining temporary roles- At the time of hire, it's important to immediately define access for temporary employees to company resources based on each worker's specific job function. This is an efficient and secure way to enable (and later easily disable) access for temporary workers, particularly for organizations hiring in large numbers. 2. Differentiating between roles of full time and seasonal employees - Whether or not role-based access is being used, temporary employees should only have access to those systems that are required to perform their job function. Supplying blanket access based on full time employees' roles can introduce unnecessary risk. 3. Employing a combination of detective and preventive controls - Detective controls like identity management and access provisioning provide a clear access profile that defines who has access to what. This should be combined with preventive controls such as data loss prevention (DLP) and security information and event management (SIEM) solutions to protect critical data stores and verify that workers' activity aligns with their job function and standard employee activities. Accessing systems and data remotely or at unusual hours could signal suspicious intent. 4. Disabling access immediately once an employee leaves - Ensure that employees are immediately de-provisioned when the employment period ends, leaving no gap between their official departure and the time when access is shut off. This prevents vulnerabilities due to "zombie" accounts - those that remain active and accessible to former employees. 5. Disabling all access inside and outside the organization- Shutting off network access is not enough when disabling departing employee access. The growing number of applications hosted in the cloud requires the IT manager to disable access to accounts at each system level, both on the network and in the cloud.
To arrange an interview with experts who can discuss all aspects of the security risk posed by temporary workers, contact:
Mariah Torpey Davies Murphy Group [email protected] 781-418-2404
Courion's award-winning Access Assurance solutions are used by more than 400 organizations and over nine million users worldwide to quickly and easily solve their most complex identity and access management (password management, provisioning, and role management), risk and compliance challenges. Courion's business-driven approach results in unparalleled customer success by ensuring users' access rights and activities are compliant with policy while supporting both security and business objectives. For more information, please visit our website at www.courion.com, our blog at blog.courion.com/, or on Twitter at twitter.com/Courion.
To view this release online, go to: http://www.courion.com/company/press_release.html?id=523
Courion is a registered trademark. All other company and product names may be trademarks of their respective owners