With recession fears mounting, companies have kicked off 2023 by shedding employees in a wave of layoffs affecting major corporations such as Amazon, Goldman Sachs, and Salesforce, as well as many other companies.
A mass exodus of employees can create gaps and potential threats – and it’s a challenge for security teams to keep up. A departed employee could still have valid access privileges. Employees recently laid off could take data or even hardware with them, or have that hardware maliciously intercepted when in transit back to headquarters. And it’s not limited to people within a company—third-party partners and vendors also have access to systems. If those organizations don’t have the proper controls in place, employees leaving partner companies may still have access to systems they worked with. Departing employees may manage these partner relationships creating an even bigger gap in managing security risks and possibly compounding them if both organizations are reducing staff.
In addition to the more visible ramifications, layoffs also put a heavy burden on security staff—themselves possibly reduced in numbers—as they are faced with anticipating and addressing a range of security issues. During such times, organizations also often cut back on resources. In times like we’re seeing this year, when it comes to business continuity versus security, business continuity usually edges out security. Companies looking to cut costs via layoffs or other means are likely to shy away from revenue producing roles and resources and focus instead on cost centers to make short-term, high-impact reductions. Many of these are often valuable security resources and technologies—including those used to manage and control employee access. In the case of Salesforce, for instance, laying off 10% of its workers equates to thousands of employees whose access suddenly needs modification. With reduced headcount and resources, this becomes a significant undertaking. Automation can help here, but it’s not foolproof without proper staffing and checks in place.
With an eye toward supporting security teams in protecting data from unauthorized access, especially during a tumultuous stretch, here are four access controls they security teams should pay attention to, both within their own organizations and among their third-party partners and vendors.
- Entitlements management.
Identity management isn’t just controlling who has access to a network, but it’s also controlling what kind of entitlements, or privileges, employees have. Privilege creep has become a common problem in any enterprise. Some employees may have worked in multiple departments and carried an expanding list of privileges as they moved from one job to another. Employees who needed one-time access to a certain system may still have that access. Layoffs also can increase the insider threat, as some departing employees may look to take data or equipment—such as laptops or smartphones—with them, possibly to help them with their next job.
Data gleaned from our platform, which collects, validates and analyzes data on third-party risks from more than 100,000 participants, shows that 91% say they enforce access control policies and only 9% don't. Those numbers can change, up or down, during times of widespread layoffs. Knowing whether third-party partners and vendors are applying thorough access controls is an important factor in protecting company data.
- Entitlement suspension.
Start by getting visibility into who has access to what. Then suspend privileges when they are no longer needed. Examples of this include when employees change jobs within a company, when a task that required one-time access gets completed and especially when an employee leaves the company. If the company doesn’t do a full scrub of departed employees’ network identities and access privileges, the company is vulnerable. Our platform’s data shows that 87.1% of respondents say they suspend entitlements in response to policy violations or anomalous behavior. That leaves 12.9% that don’t. It’s like leaving the key to your house under the mat, and everyone knows it's there.
- Access reviews.
Employees are often given way more privileges than they need, either intentionally or unintentionally. In many instances, malicious actors can compromise credentials, gain access to the network and then escalate their privileges to steal sensitive data, deploy malware or do other significant damage. Conduct access reviews periodically to evaluate access rights for all of an organization’s employees and third parties to prevent this.
- Access deprovisioning.
Unlike provisioning, setting up an employee with access during onboarding, deprovisioning should occur whenever an employee leaves a company or changes roles within an organization. And while most (89.7%) participants on our platform say they implement a standard access deprovisioning process across the enterprise, more than one in 10 do not.
Make deprovisioning an immediate task once this change gets made, but as mentioned, when in the face of widespread layoffs, there are many accounts that need deprovisioning and resources and staff are both stretched thin. It may take a while for employee access to come to the forefront, yet during this waiting period, an organization is a sitting duck.
Each of those access controls are part of an overall access management strategy, but each plays an important part in protecting an organization’s data and assets. When considering working with third-party partners, vendors, and other stakeholders, their own approaches to access management are as important as the company’s. Remember, many of these organizations’ employees have access to the company’s data or network. And, when third parties have access to company systems, they bring their own vulnerabilities with them.
Security teams should ensure they have visibility into which vendors do not have these controls in place and determine the level of which they engage with these vendors. This will help to create a prioritized strategy of remediation. If a vendor only misses one control and has minimal access to data and systems, don’t put it to the top of the list. Harvesting data and insights on cyber risk will give visibility into where the highest risk resides so in times of reduced staff and resources, teams can work more efficiently.
Frank Price, chief technology officer, CyberGRX