When employee offboarding becomes a security vulnerability

A rude awakening after being fired: In a recent case, an employee at a U.S. credit union destroyed 21 GB of confidential data after she was terminated. Although she was already perceived as a potential threat, IT had disabled her network access too late. For about 40 minutes, the person was able to remotely access the file server and delete data. The damage amounted to 10000 US dollars. This is not an isolated incident, as the Ponemon Institute shows in its "Insider Threats Report 2020" study. The nearly 1000 companies surveyed worldwide stated that almost one in four security incidents caused by employees was due to criminal motives, and 14 percent involved the theft of credentials. The fact that one in six incidents is "only" due to negligence does not make the situation any better. Each incident ultimately costs time and money to repair the damage.

From analog peccadillo to digital crime

Obviously, gone are the days of disgruntled leavers stealing pencils or maliciously mishandling files. Today, sensitive digital information is copied surreptitiously, business contacts are taken away and, in the worst cases, files on the network are manipulated or deleted. The peccadillo of the analog world turns out to be a crime in the digital one.

These examples clearly show that the utmost care is required in offboarding - and this is where the IT security department plays a greater role than previously assumed. Today, it is no longer enough to collect the employee smartcards and work devices (from notebooks to smartphones) and deactivate the e-mail inbox. Rather, all access to messengers, tools, cloud services or networks, among other things, must also be changed or closed. This is not yet included in the offboarding checklists of many companies, or only to some extent.

The situation becomes really critical when employees have already made their decision to leave the company long beforehand. In practice, the problem of "internal resignation" has a direct impact on security-related behavior: These people often no longer take security policies very seriously, are less careful when dealing with e-mails or disclose sensitive data. In the worst case, this behavior represents an enormous potential risk over a longer period of time. Experts compare these actors with so-called internal perpetrators, who can be classified as a security risk due to deliberately negligent behavior or criminal intent. The European Union Agency for Cyber Security (ENISA) has recognized the problem of domestic perpetrators and included it in its list of top 15 threats.

When insider knowledge is exploited ...

But this is not the end of the story. Even after leaving, ex-employees remain a source of danger. In May 2021, for example, Ruag reported an alleged hacker attack on its own IT systems. And the search for clues baffled the experts: There was no evidence of an attack in the log files. The suspicion quickly arose that former company employees, with their insider knowledge, were responsible. Against this background, employee offboarding should definitely be included in IT risk management. At present, this happens even less frequently than the consideration of employee departures from a security perspective. In many companies, risk management focuses primarily on the physical security of IT. This is absolutely right, because most risks arise from the threats posed by all digital devices in use. More and more, however, the spotlight is shining on "soft factors" that can cause a security incident. This primarily refers to employees in general, who influence the company's security level through their behavior. But supervisors and even administrators also come into play as a risk if they set up processes in an unclean manner or communicate in an ambiguous manner. Or - as in the case of employees leaving - IT security is not fully considered in the process. Successful risk management stands and falls with the evaluation of all risks.

Secure offboarding: Short checklist for IT security

Company leaders are well advised to revise the offboarding process in terms of IT security as quickly as possible. Often, existing checklists simply need to be expanded or guidelines adapted to the situation. Experts also recommend expanding risk management to include threats posed by the departure of employees. In this way, financial damage and loss of reputation due to departing ex-colleagues can be effectively avoided.
In addition, IT managers should definitely use these basic processes:

• Revoke access rights and reset passwords for all apps and services
• Block building access
• Reclaim all physical devices of the company
• Prevent email forwarding and file sharing
• Assign licenses to other users
• Conduct exit interview to check for suspicious behavior
• Final review of monitoring/logging tools for indications of unusual activity.
• Involvement of human resources department or lawyer if suspicious activities are detected

Author

Michael Klatte has worked as PR Manager for ESET Germany since 2008. His area of activity includes corporate and B2B communications in the DACH region. ESET is a European company that develops security software already in use by over 110 million users.
> www.eset.ch