In many organizations, the number one risk to the IT environment is people. And it’s not just IT staff, but anyone who has access to the network. Malicious actors routinely target users with phishing and spear phishing campaigns, social engineering, and other types of attacks. Everybody is a target. And once attackers compromise an account, they can use that entry point to move around the network and elevate their privileges. The following strategies can reduce your risk:
Candidate screening and hiring. Screening candidates thoroughly is a critical part of the hiring process. Be sure to conduct a full background check that includes a criminal records check, job history verification, education verification, certification validation and confirmation of other accolades when possible. Additionally, contact all references.
Employment agreements and policies. An employment agreement specifies job duties, expectations, rate of pay, benefits and information about termination. Sometimes, such agreements are for a set period (for example, in a contract or short-term job). Employment agreements facilitate termination when needed for an under-performing employee. The more information and detail in an employment agreement, the less risk (risk of a wrongful termination lawsuit, for example) the company has during a termination proceeding. For instance, a terminated employee might take a copy of their email with them without thinking of it as stealing, but they are less likely to do so if an employment agreement or another policy document clearly prohibits it.
On-boarding and termination processes. On-boarding comprises all the processes tied to a new employee starting at your organization. Having a documented process in place enables new employees to be integrated as quickly and consistently as possible, which reduces risk. For example, if you have five IT admins performing the various on-boarding processes, you might get different results each time if you don’t have the processes.
standardized and documented; a new hire might end up with more access than required for their job. Termination is sometimes a cordial process, such as when a worker retires after 30 years. Other times, it can be a high-stress situation, such as when a person is being terminated unexpectedly. You need to have documented policies and procedures to handle all termination processes. The goal is to have a procedure to immediately revoke all access to all company resources. In a perfect world, you would push one button and all access would be revoked immediately.
Vendor, consultant, and contractor agreements and controls. When workers who are not full-time employees have access to your network and data, you must take extra precautions. Consultants often work with multiple customers simultaneously, so you need to have safeguards in place to ensure that your company’s data isn’t mixed in with data from other organizations, or accidentally or deliberately transmitted to unauthorized people. In highsecurity organizations, it is common to have the organization issue a computing device to consultants and enable the consultant to access the network and data only through that device. Beyond the technical safeguards, you must also have a way to identify consultants, vendors and contractors. For example, maybe they have a different security badge than regular full-time employees. Perhaps they sit in the same area or their display names in the directory call out their status.
Compliance policy requirements. Organizations have to adhere to different compliance mandates, depending on their industry, country and other factors. All of them need to maintain documentation about their policies and procedures for meeting those requirements. Employees should be trained on the company’s compliance mandates at a high level upon hire and regularly thereafter (such as re-certifying once a year).
Privacy policy requirements. Personally identifiable information about employees, partners, contractors, customers and other people should be stored in a secure way, accessible only to those who require the information to perform their jobs. For example, somebody in the Payroll department might need access to an employee’s banking information to have their pay automatically deposited, but no one else should be able to access that data. Organizations should maintain a documented privacy policy that outlines the types of data covered by the policy and who the policy applies to. Employees, contractors and anyone else who might have access to the data should be required to read and agree to the privacy policy upon hire and on a regular basis thereafter (such as annually).
