How High Employee Turnover Poses Increased Cyber Security Risk
Some industries and companies experience higher rates of employee turnover than others. It’s just a fact of life, and most companies with high turnover believe they’re already aware of the impact it has on their bottom line. New hires need to be trained, workstations need to be set up, and it takes time for a new employee to become fully efficient and productive at a new job. That’s expected. However, there are some hidden costs associated with high employee turnover which aren’t always taken into account, even in sectors or companies with unusually high turnover rates.
The secure storage and manipulation of data is a relatively new factor in business, at least within the lower levels of a company’s structure. Not long ago, every important document was kept in a heavy safe in the manager’s office, and only a few trusted employees had access. Since that time, the advent of technology has drastically changed many aspects of business, but perhaps none so profoundly as access to information. Now, even entry-level employees have access to a company’s secure network. After all, they need it for communication, for moving files around, and for doing their day-to-day work. Because of this, companies with high employee turnover rates can face increased exposure to cybersecurity threats on two fronts: outgoing employees and incoming ones. Both scenarios pose unique risks, which we will examine below.
Departing Employees Leave Holes
If one of your employees has access to your company’s sensitive documents and then leaves, that access does not magically stop. That person still knows passwords, directory structures, cloud service logins, and could even have a VPN tunnel right to your network on a home computer or laptop. Perhaps you parted on good terms, or maybe the employee left under bitter circumstances and now bears a grudge against your company. Either way, you don’t want ex-employees to have access to your data or systems.
Rather than waiting for an employee to depart unexpectedly, leaving you scrambling to figure out how to shut down their access, you need to have a comprehensive plan ready for off-boarding employees. If you need some guidance, check out Copperband’s recent blog post on Best Practices for Disabling, Deleting and Locking Down Past Employee Accounts. For instance, that article encourages you to hold an exit interview and ask specific questions about how the employee accessed your data. In many cases, even the employee doesn’t remember all the forms of access that he or she has until someone asks.
Remember, whether the departure was friendly or problematic, time is of the essence. Your goal should be to have a departing employee’s access fully revoked before he or she gets home – or makes it out of the building, if possible. Employees should have access, and ex-employees should not. It’s as simple as that.
New Employees Are Open Doors
Not all of the security risks of high employee turnover are from employees on the way out, however. Incoming employees pose their own special problems. Because they don’t know your organization or all of its policies yet, they can easily make mistakes which experienced employees wouldn’t. More importantly, because of the prevalence of social media, criminals can easily tell who is new to your organization. Because most of us have LinkedIn accounts, it’s never a secret when someone begins a new job. This paints a huge target on your new hires, and they can easily become the victims of social engineering attacks.
In addition, industries and businesses with high employee turnover rates logically tend to have younger workforces. Because people don’t stay at the job for very long, there aren’t many veterans in these positions. While younger employees are certainly dynamic and willing to work hard, they haven’t experienced quite as many negative consequences as some of their more seasoned counterparts. Simply put, they haven’t made all their mistakes yet, and they’re going to make some of those while they’re under your roof. It’s a natural part of the growing process, but if your business has a lot of churn and is constantly bringing in fresh new faces, it’s something you need to be mindful of.
Once you give a new employee the keys to the kingdom, they’re on the inside. Therefore, you need to make sure they know how to protect your interests.
Train, Train, Train
If disabling user accounts is the solution for departing employees, what’s the best way to mitigate the risks posed by new employees? In a word, the answer is training. Your company should have a comprehensive security training program for ALL new hires, not just the ones working specifically in technology roles. You can streamline the process by sticking to a few simple guidelines:
- Get to know what they know. Don’t try to teach new employees things they already know. Not only will you waste everyone’s time, you’ll also cause them to ‘switch off’ and ignore something important.
- Make it work for you. The likelihood is that you already have some kind of training in place for other things; use that. If you do webinars, do a security webinar. If you have a conference room where you regularly brush up on company policies, hold a meeting there. If you’re a smaller organization and you do a lot of one-on-one meetings, maybe over lunch – do that! If you make it awkward, it won’t work.
- Talk about the consequences of a breach. Tell your new employees how much data your company protects and how much money your company stands to lose if there is a successful attack. Then tell them what kind of an effect that could have on them personally. Don’t threaten anyone, just be realistic. This is serious.
- Share real-life stories. There’s a good chance that one or more people in your organization have been on the wrong end of a cyber-attack, whether at work or in their personal lives. Tell each other some scary tales so that everyone understands how serious it can get. Bring the threat to life.
- Simulate it. Send your new employees some mocked-up phishing emails and see how they respond. If that seems too underhanded, tell them what you’re doing beforehand. The important thing is that they get a chance to see what a real attack looks like.
- Focus on a few key actions employees can take every day. No one is going to remember a list of 50 things that will improve your security. Simply teach your employees to check the sender of an email for signs of spoofing, not to click on attachments, how to check for SSL connections and site certificates, and so forth. If you can add a few simple things to their everyday routines, you’ll increase your company’s security dramatically.
- Have a password policy. One of the easiest things you can do to ramp up your security is to use strong passwords and change them often. 63% of data leaks happen because of weak passwords. Tell new employees what you expect in terms of passwords, or have someone assign them and change them regularly.
Of course, your training program has to work for you and your environment, but these guidelines should get you heading in the right direction. Remember, this is something you need to implement sooner rather than later. Preventing a data breach is infinitely cheaper and easier than repairing one.
….and Then Train Some More
If training your new hires to use good security is important, what about your existing workforce? Most experts recommend regular security training for all employees. This doesn’t have to be as in-depth as the initial briefing, but it does need to make your company’s security fresh in everyone’s minds on a regular basis. If you only talk about security once a year, no one will be thinking about it a few weeks later. Aim to do something at least once a month. If you don’t want to take the time for a full, sit-down meeting, send out regular email reminders of good security practices.
It Boils Down to This:
Data is not handled by computers. Data is handled by people and computers. Therefore, every person in your organization is a potential attack vector. People are easier to fool than machines, so you need to make the extra effort to bring your human assets up to speed. Whether it’s a departing employee who might be tempted to sell you out, or a fresh-faced new hire who might be tricked into unlocking the gates, a high employee turnover rate means you need to be on your toes if you want to keep your business secure.
If you want professional help in mitigating the security risks associated with high employee turnover, Copperband Technologies is ready to help. Call or email us today, and we’ll discuss the best way to make your business more secure, no matter how fast your revolving door spins.