Safe offboarding in the spotlight as Tech Layoffs Mount
Increased turnover puts a strain on existing off-boarding processes – especially manual ones – for departing employees and contractors. Recent high-profile layoffs at major technology companies have put the spotlight on this issue.
Meanwhile, efforts to limit access to sensitive corporate information become increasingly complex as data access points proliferate.
The rise of the distributed workforce, cloud computing, working from home and shadow IT suggest that a comprehensive offboarding policy is necessary, aided by automation.
However, a recent survey by Oomnitza found that nearly half of IT managers have doubts about their company’s onboarding and offboarding automation capabilities.
The study found that a third of businesses lose more than 10% of their technology assets when they leave workers, and more than four in 10 (42%) said they experienced unauthorized access to SaaS applications and cloud resources.
Deployment of ETM to strengthen endpoints and applications
Ramin Ettehad, co-founder of Oomnitza, explains that enterprise technology management (ETM) solutions, with built-in integrations, rich analytics and simplified workflows, allow organizations to define and continuously improve onboarding and offboarding processes.
“They can strengthen the onboarding user experience by ensuring the right endpoints, accessories, applications and cloud resources are available at the start, so the new hire can be productive on day one,” he says.
These solutions can also enable secure offboarding by ensuring endpoints and their data are secured, software licenses are reclaimed and access to systems, SaaS and cloud resources is disabled.
Furthermore, departing workers’ e-mail, applications and workplaces can be redistributed automatically to ensure business continuity.
“All of this is done with true process automation across teams and systems, and is not driven by tickets and requests, which rely on manual workloads and are prone to delays and errors,” adds Ettehad.
Cyberhaven CEO Howard Ting explains that most organizations today have a single sign-on product that can turn off an employee’s access to all apps with one click and device software that can lock and remotely wipe a laptop.
“While many companies today cut off access as soon as, or even before, they notify employees they’re being let go, people can sense what’s coming, and they preemptively collect customer lists, design files, and source code in anticipation of lose access,” he adds.
When an employee leaves voluntarily, companies have even fewer tools to prevent data exfiltration because the employee knows they will be leaving before their employer.
While many organizations monitor employees more closely from the time they give notice to quit until their last day, a Cyberhaven survey found that employees are 83% more likely to take sensitive data in the two weeks before they give notice when they are under less scrutiny.
Coordination of offboarding programs
Ting says the best employee offboarding programs are coordinated across HR, IT, IT security and physical security teams working together to protect company data and assets.
The HR team completes departures and notifies employees, IT ensures that access to apps and corporate laptops are turned off in a timely manner, the physical security team disables access to corporate facilities, and the IT security team monitors for unusual behavior.
“These teams perform specific tasks in sequence on the day an employee or group of employees is released,” he says.
Ting adds that he also sees more companies monitoring for employees putting company data on personal devices or applications. In offboarding, the employees make the termination agreement conditional on returning or destroying this company data.
Ettehad adds that managing and enabling an external workforce today requires leaders to break down silos and automate important technological business processes.
“They need to connect their key systems and orchestrate rules, policies and workflows across the technology and employee lifecycle with conditional rules-based automation of all tasks across teams and systems,” he says.
The need for “controlled haste”
Tom McAndrew, CEO of Coalfire, calls for “controlled haste” to tackle the safe offboarding challenge.
“When we look at identity management more broadly, it can often be a complex problem that spans many applications, internal, external, SaaS, on-prem, and so on,” he says. “The identity strategy is the focal point. The fewer sources of identity and access control there are to manage, the more automation can support these operations at scale.”
He argues that when HR and information security don’t work as a team, it’s easy to see platforms spinning around to solve point solutions rather than looking at the “what-if” scenarios.
– Every system that is not integrated with a core identity platform becomes yet another manual task or another tool that must be invested in to solve a problem that could have been avoided with sensible planning, he says.
McAndrew adds that a rogue employee with authorized access to critical, sensitive information is a significant threat.
“When you consider the potential risk of a disgruntled employee, coupled with an HR team struggling to deal with a significant volume of turnover, it’s easy for mistakes to be made and for frustrated or disgruntled employees to take matters into their own hands.” he says.
He warns that this can also trigger legal complications, which often require additional professional forensic support, making a bad business decision even more costly.
Unauthorized access to SaaS, Cloud Apps a big challenge
Corey O’Connor, director of product at DoControl, a provider of automated SaaS security, points out that unauthorized access to SaaS applications and cloud resources is an identity security issue for both human and machine identities.
“However, preventive controls and detective mechanisms can help reduce the risk of unauthorized access,” he explains.
This means having full visibility and a complete inventory (ie users, assets, applications, groups and domains) will enable security and IT teams to put appropriate preventive controls in place.
“From there, implementing detective mechanisms that identify high-risk or abnormal activity” is the next step, he says.
Application-to-application connectivity, including machine identity, must also be secure; otherwise, the organization increases the risk of supply chain-based attacks.
“Machine identities can be overprivileged, unsanctioned, and not within the security team’s visibility,” he says. “When compromised, they can provide unauthorized access to sensitive data in the application it’s connected to.”
This means that both human user and machine identities need preventive controls and detective mechanisms to reduce risk.
Detect exfiltration, manage applications
Davis McCarthy, principal security researcher at Valtix, a provider of cloud-based network security services, says that after the pandemic, many organizations increased their use of various cloud and SaaS platforms.
“Because different departments use different applications, and some individuals integrate with temporary solutions, IT departments found themselves drowning in the white noise of XaaS, with no standard way to manage it,” he says.
While IT administrators typically lock down corporate email accounts during departures, former employees may still have access to unknown services that contain sensitive data.
“Putting aside the idea of an insider threat, if one of those unknown services gets hacked and needs its password changed, no one may know to take action,” he warns.
McCarthy says network defenders need to figure out where sensitive data is stored and develop ways to detect exfiltration.
“Deploying an egress filtering solution limits how a threat can exfiltrate data, while providing the necessary visibility to verify that it has not occurred,” he says. “The consequences of stolen data vary from industry to industry, but most data breaches result in fines and loss of customer trust.”
He adds that if IT security teams are busy managing all the SaaS applications an organization uses, having too many proprietary tools is also a burden.
“Deploying scalable multi-cloud management tools that consolidate visibility and policy enforcement lowers their operational costs,” says McCarthy.