Why it's Essential to Tighten Cybersecurity Loopholes in Staffing Decisions
You might not think the personnel moves you make could lead to a cyberattack or data breach, but in today's workplace, the risks are real. And the decisions you make when hiring, promoting, transferring, and terminating employees can directly impact your ability to maintain a cyber-secure business.
Here we look at ways to keep cyber security top of mind when staffing so you can avoid the risks that come with the territory.
When Hiring
Vet all new hires with reference and background checks to ensure they're legitimately qualified to work for you. But it pays to remember that any new employee—technically trained or not—can be the cause of a cybersecurity incident.
Therefore, it's critically important that new hires understand boundaries when accessing your business' network and data, sensitive or otherwise.
Clarify Access
Before the new hire begins, clarify access levels to digital and physical assets so there's no confusion within the company. This way, everyone understands what's accessible and off-limits, especially the new employee.
This means IT may have to grant or block permissions on the network for the new hire, and security might have to issue key cards. Take care of these details before the new hire's arrival, so there are no gaps in coverage.
Outline Policies
Provide all new hires with your company's acceptable use and technology policies. Moreover, they should read and acknowledge that they've received these policies and understand the rules to ensure a secure digital workplace and the penalties for not complying.
The point of hire is also a great time to emphasize the critical role new employees play in maintaining a culture of security awareness. And that adhering to policy is an expectation that's instilled in the company culture.
When Promoting, Demoting, and Transferring
When an employee is promoted, demoted, or transferred to another position, it's important to remember to adjust access privileges accordingly.
This may mean issuing new badges, key cards, or digital clearances that reflect the rise in position. Or the revocation of privileges in the case of a demotion or transfer to a different area of the company. It may also mean redefining any networks or groups impacted by the change.
These changes should be made and communicated immediately with IT and security so that access privileges aren't overlooked or inadvertently extended.
Failure to do so can leave windows of opportunity where, for example, a demoted and disgruntled employee can access areas or information that are now off limits and cause harm.
Terminations
Employees can leave under a variety of circumstances. In any case, taking appropriate and timely steps is crucial to ensure their departure doesn't compromise information security.
Step 1: Inform IT and Physical Security
The first step you should take when an employee is terminated is to notify IT and security so that access to digital and physical assets can be revoked immediately.
Step 2: Collect Access Assets
Retrieve key cards, keys, VPN tokens, and other items that can be used to get past physical or digital barriers to your company.
Step 3: Conduct an Exit Audit
Arrange for a briefing with the terminated employee so you can verify that assets have been collected, including thumb drives, laptops, phones, or anything else of value.
Step 4: Terminate Accounts
Ensure you revoke access on all system accounts, including VPN and remote access, email, networks, voicemail, online meeting apps, financial accounts, and others. And don't overlook applications that reside outside your organization, such as Salesforce.
If the employee leaves at an agreed-upon date, such as two weeks out, use the time to ratchet back access which can simplify the transition to termination.
Once the termination is complete, you can audit the former employee's accounts periodically to ensure that critical files or confidential resources are no longer accessible. Former employee accounts are frequently targeted by cybercriminals, another reason to check back.
Remember, any former employee who still has access to company assets is a potential data breach. It's less likely that your company will suffer negative consequences the sooner you cut off access.
Staffing decisions and information security go hand in hand. Keeping in mind the guidelines outlined here, you can manage your employees effectively while protecting your company.