Let’s be honest, of all years, this is the year where everyone is especially excited for the joys and celebrations that come with the holiday season. But let’s play out a holiday-themed analogy as it relates to identity security and risk mitigation. What if you and your organization are more like Ebenezer Scrooge than you thought? It seems Charles Dicken’s protagonist isn’t the only one being revisited by ghosts of the past lately. Organizations, who are dealing with increased and unpredictable turnover this year, are being haunted by the access of past, present and future employees.
With much of today’s workforce operating remotely, numerous industries continue to see higher than normal rates of turnover – between layoffs, furloughs and employees choosing to leave and work elsewhere – all from the comfort of their own home. While many companies have processes in place to reclaim their physical devices, are similar steps being taken to guarantee that corporate digital access has been removed or reallocated accordingly? Companies today need to ensure that they are taking control of identity management and not leaving any “ghosts” behind.
In the past nine months, organizations have undergone an enormous transformation, as the remote work environment has become the norm. Consequently, the race to remote work created an explosion of technology access across the workforce, resulting in security and compliance gaps that pave the way for potential data breach opportunities.
Ghosts of the Past
Organizations of all sizes manage through employee turnover – it’s a part of the game. However, companies need to ensure previous employees no longer have access to confidential information and credentials or the ability to download sensitive data that may be harmful. Another common example is a communications team member still having access to their employer’s social media accounts after leaving the company. This digital touchpoint not only offers valuable insight about your organization, but is a public-facing channel that, if used maliciously, could put your organization’s reputation at risk.
According to Verizon’s 2020 Data Breach Investigations Report, ex-employees significantly added to the number of data breaches. One insider attack could potentially cause ten times the harm of an external attack. Whether deliberate or not, ex-employees should not have any room to sabotage a company.
Additionally, SailPoint learned that 1 in 3 U.S. employees stated that they use their own computer and smartphone to enable remote work, meaning that reclaiming physical devices owned by the organization is not enough – access must be addressed in every sense. It’s vital that any ex-employee access to corporate applications and data is immediately revoked.
Ghosts of the Present
Current employees can also pose a risk to organizations, as the line between work and home has blurred. Today’s new remote reality make it clear that people manage different identities and wear more than one hat throughout the day – as a working professional, teacher, parent, caregiver, etc. As a result, device sharing with spouses, children, and other family members is a typical occurrence, as people try to stay connected during social distance requirements.
Whether it’s a personal device being used for work, or a work device being used for fun, organizations need to assume that their employee is not the only one with access to their data – inadvertently or not. With over half of U.S. consumers having not changed their work password(s) within the last six months, companies need to think bigger and more holistically on how they protect valuable information. As parents, siblings and grandparents pass around computers at home, organizations need to ensure an employee’s relative isn’t the cause of a security incident—globally, 1 out of 4 people have admitted to sharing a password with a partner, roommates, or friends.
Ghosts of the Future
With news of a vaccine on the horizon, each of us is holding onto a sense of hope right now. This is especially true for global businesses who are looking forward to new growth, rebounds and new hires – both for the office and remote. But that doesn’t diminish these challenges, which are here to stay. Permanent remote work has been widely adopted by many, so the need for long-term internal restructuring is unavoidable. Whether the internal movement entails a promotion, change in office location, etc., it is important that each employee’s access control is closely monitored.
The Scrooge Transformation
As organizations look back in time over the years – much like Ebenezer was forced to face his past – would they say they are content with their security posture? While people may come and go, companies must take steps to ensure they tie up all the loose ends – not just the obvious ones.
Employees play a key role in achieving best in class security and must also look to keep “ghosts” at bay. Here are some tips to consider sharing with your workforce:
- Your password is like your toothbrush—don’t share it and change it often.
- Your Wi-Fi is your lifeline—don’t login into unsecured networks.
- Your IT team is your best friend—use the tools they put in place, including MFA, security training, and VPN.
- Your assumptions are an Achilles heel—don’t assume somebody won’t hack you.
The pandemic and shift to remote work clearly illustrated that providing “good enough” identity and access controls is not enough. So many businesses rushed to enable access that they skimmed the surface from a security perspective, not fully vetting access requests to guard against too much access, unnecessary access or the ”ghosts” I mentioned earlier – employees who have since departed the company, yet their access remains intact.
With the holiday season upon us, heed the identity and access management lessons learned by our friend Ebenezer and don’t leave your organization open to the visit of ghosts, past, present or future.