Whether it’s down to growth or replacement, hiring new employees is something that all organisations face on a day to day basis
In an ideal world, we’d hire all the right staff and they’d stay put in our businesses for a long, happy time. Sadly, this isn’t always the case, and staff turnaround can present a burden for many – especially in the banking and finance industry, where staff turnover rates are higher than any other industry.
Aside from the obvious disadvantages that this poses – including challenges bringing new employees up to speed on tasks and projects, and the cost of recruitment – cybersecurity can easily be compromised as a result of high employee turnover.
Too many organisations spend their security resources on putting strong external defences in place, in an attempt to keep outside hackers at bay. But it turns out that the bigger threat lies a lot closer to home. Sixty six percent of organisations consider malicious insider attacks or accidental breaches more likely than external attacks, and the majority of employees say that they have access to data they shouldn’t.
Keep it Simple: Identity and access management
Whether they mean to or not, new starters are inherently more of a risk to a company’s cybersecurity, as they are not yet embedded in the company culture. This is particularly true for those new to highly regulated sectors like finance, defence and healthcare, where organisations typically have much stricter security rules and processes, which can take some getting used to.
New joiners find themselves being given access rights just because they’re the same as the person sitting next to them. Moreover, many people find that they can still access a previous employer’s systems using their old credentials, even after leaving the company. It’s usually just down to good will and ethics that this doesn’t cause more breaches – clearly, no organisation can afford to rely on this!
How can we reduce the risk of cyber attack from the inside? The answer is: ‘keep it simple, stupid’. Simply reviewing and controlling employees’ access rights, particularly as people enter and leave the company, will significantly lessen the risk of a breach occurring from the inside; but on its own is probably not enough.
Kick-start the cultural change towards cybersecurity
Opening up the identity and access management conversation throughout the whole organisation is the first step in regaining control of who has access to what, as new employees arrive and ex-employees leave.
It’s no secret that the industry is struggling with some fundamental issues; the frequency of cyber attacks is evidence of that. Staff turnover doesn’t help, but acts as a catalyst, creating more risk. Looking closer into why these breaches keep on happening, it lies with the current cultural perception of cyber security within the workplace. Organisations are in need of a complete shift in attitudes towards security if businesses are to start combating the issues surrounding new and ex-staff.
We can look at three phases of this cultural change, where the end result comprises of everybody in the organisation understanding that cyber security is their own responsibility.
The first phase, where many organisations get stuck, is where access management is considered solely the job of specific security teams. This produces a clear divide between the employee and the impact of their actions. The second phase takes a step away from this stark divide, putting line managers in charge of employees’ access rights. Ultimately, the final phase will see employees self-certificating their own access rights, with oversight and ultimate approval from line managers.
Hiring new staff doesn’t have to present a cybersecurity burden for companies. It can offer an opportunity to influence the attitude of the workforce towards security. For example, newcomers have the advantage of having no preconceived notions about the company’s security policy or culture. A culture where cybersecurity is considered everyone’s responsibility can be achieved much more easily when starting afresh.
Ultimately, the threat of cyber breaches should never be underestimated. Staff turnover can present a great risk of insider threat, if it is not handled properly; even those movers with the best intentions present a potential security risk. However, this can be an opportunity to instil a better security mindset. And by leveraging identity and access analytics, you can ensure that current, past and future users have the appropriate access rights, reducing the risk that these insiders pose.
About the Author
Mark Rodbert is CEO at idax Software. idax solves one of the most pressing technical issues facing companies today – what information do staff have access to and does that pose a risk? Using predictive identity analytics, idax is the first company in the world to automatically analyse the access rights for an organisation, quantify the risk and determine who has excessive access requiring adjustment. Protecting digital information is critical for modern companies.