How to plan for increased security risks resulting from the Great Resignation
The Great Resignation is sweeping the world, and the causes and impacts are still being analyzed. Texas A&M University professor Anthony Klotz coined the term, predicting an unusual rise in voluntary resignations as employees anticipated the global pandemic coming to end and life returning to normal. Many employees stayed longer in roles because they were uncertain of the future during the pandemic, while frontline workers experienced an elevated level of burnout due to increased stress. Workers in all industries are looking for new opportunities and leaving past roles behind.
IT and security staff are resigning too, feeling increased stress from managing more remote employees, a rapid transition to the cloud that didn’t allow time for them to gain cloud expertise before making the leap, and a rise in cyberattacks globally. Finding and retaining security talent is an ongoing challenge, one that exposes organizations to increased risk because there simply aren’t enough security experts available.
Most employees, certainly in technology companies but in other industries as well, are required to undergo security training and sign non-disclosure agreements (NDAs) when they join a company. That’s frequently the last time they consider security training, how they use personal devices for company communications and data, and what data belongs to the company and what data they’re permitted to share externally or take with them when they leave. Much of this information is only communicated in an NDA, a document that’s rarely read carefully or reviewed regularly. This may result in reduced adherence to security rules and practices — and, consequently, data losses. Some disgruntled employees may even be tempted to disclose sensitive information or leave security holes to allow them to access the company’s IT infrastructure after departure.
All employees have access to secrets, whether that’s a product strategy document, internal lists of sales prospects or customers, or other internal communications or presentations that aren’t intended for external consumption. Security and engineering teams have access to many internal systems, passwords, and secrets. When many employees leave an organization in a brief period, risks increase because there are so many things to take care of for so many people at the same time.
How to ensure employees, especially security staff, are off-boarded appropriately
Off-boarding employees can pose challenges for any organization. In the past year, data exfiltration incidents increased due to employees taking data, systems access, or both with them when they exit. This is when organizations can refer to their onboarding plan to create a successful off-boarding plan, one that includes people, process, and technology.
Rather than taking a reactive approach to employees leaving the company, embrace a readiness-mindset and prepare for departures in advance. To do that, here are essential steps to take so that you’re ready for employee departures:
- Nurture the culture in your organization. This isn’t something you start when your employee gives their notice — it’s something they’re part of from the moment they join your team. Having good interpersonal relationships, sharing values, and identifying and handling personnel issues quickly and appropriately will help you keep your employees and turn them into advocates for your company after they leave. They’ll refer candidates to you, become mentors or contributors in another capacity, or even return for another role in the future. Having a positive relationship makes employees far less likely to pose a threat to your security profile.
- Conduct an exit interview through Human Resources to get honest feedback from your employees. When employees are ready to move on to a new opportunity, take the time to ask them for suggestions, learn about problem areas, and build bridges for future relationships even after departure. Whether they’re leaving for a promotion, more flexibility, or because they’re ready to retire, their input can still influence HR decisions around benefits and culture.
- Create a knowledge transfer plan. Don’t wait until their last day to find out all the unique knowledge your employees hold. Most of that information probably isn’t in the job description, so documenting it (and having departing employees train your new hires, if possible) will help new employees become productive more quickly.
- Review the materials signed during onboarding and security training. Many employees have no idea that the data they take with them increases the security risks for their organizations. Make sure that the person reviewing it with them understands these issues and can communicate them effectively.
- Collect company assets. This includes office keys, key cards, laptops, cell phones, badges, corporate credit cards, and any other physical devices that you want returned. Keep a list and track all company assets that you’ve given employees to make sure you get these assets before they leave the building. If employees are keeping an asset, such as a laptop or cell phone, ensure that the data stored on it meets your requirements for employee data retention. For personal devices, former employees need to delete company apps and accounts.
- Don’t forget digital access. Whether it’s access to a GitHub repository, Jira, Confluence, the company’s social media accounts, company email and workplace communication platforms, or anything in between, make sure that access ends when employment ends. This helps you make sure that the right people have access even after the employee leaves and reduces the likelihood of you needing to contact them to resolve something when it’s no longer their responsibility. Off-boarding should also include deleting data belonging to former employees and any cloud accounts tied to those employees.
- Use single sign-on (SSO) and authentication tools. These technologies can help you manage access in as few places as possible, simplifying your tasks as employees leave. For engineering and security employees, make sure your team doesn’t hard code secrets or embed credentials in code. It’s poor security practice at any time and will allow access even after employees have departed and all other access has been disabled.
Successfully off-boarding security staff introduces some added considerations. While the preceding steps are still critical, security staff have increased access and knowledge when it comes to your systems and infrastructure. Once again, people, process, and technology all play a role. Monitor and audit access to sensitive corporate data, particularly noting whether they’re being accessed by computers or IP addresses outside of the corporate network. Former employees also still have relationships with current staff, so flag and investigate unusual activity there as well.
Adopting a zero-trust framework will help you protect resources even when critical security staff members leave the organization. Putting clear and easily repeatable processes in place can also help you reduce security risks due to departing staff, such as turning off email access but automatically forwarding all email and voicemail to a supervisor so that nothing gets missed. Your process should also include rolling any secrets they have access to promptly, rotating access, and removing their accounts from every system.
Automation can help you manage the Great Resignation
Although the Great Resignation poses some challenges, it also creates new opportunities. Now is an excellent time to accelerate automation. There has long been a talent gap in cybersecurity and cloud skills, and the increased resignations mean there are fewer people available to do those critical jobs, but it’s not all bad news. Advances in technology can allow people to focus attention on the areas that can’t be automated.
The urgency to convert manual work into automated, machine-driven work is increasing, and artificial intelligence, machine learning, data science, and other new technologies make much more automation possible. Leaders need to use this time to ensure that the now-limited workforce focuses on increasing automation across the board.
Key areas where increased automation can play a critical role include detection, response, and recovery. In the past, all three areas relied heavily on people, because processes were reactive, slow, and chaotic. Increasingly, technology can automate more of the forensics and incident response processes, accelerating time to resolution and easing the burdens on security teams.
While automation and technology will not completely remove the need of people, they can dramatically decrease it by changing how much time people need to spend on different activities, hence increasing their productivity and reducing their burn-out. Using technology and automation reduces manual, error-prone processes and gives security teams the time and tools they need to focus on building a security practice that is ready and resilient to cyberattacks.
The rapid shift to the cloud, significant spike in cyberattacks, and resignations in the security workforce necessitate the rapid evolution of cybersecurity. Organizations are hard-pressed to prevent catastrophic breach events. Cybercriminals are adopting more automation and technology to carry out attacks at scale, and defenders must evolve from a primarily people-oriented posture to one that embraces automation and modern technology to become more resilient to attacks.