Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
The Great Resignation
The Great Resignation began in the US. April and August 2021 saw record numbers of people quit their jobs in America – in August alone a staggering 4.3 million workers resigned. Every nation has responded to Covid-19 differently, but the trend is spreading. In Australia, nearly a fifth of the workforce in education, emergency services and healthcare have considered quitting their jobs because of the pandemic, while in New Zealand the number of workers who are committed to sticking with their current role has halved year on year.
Different reasons have been given for the Great Resignation. Some workers would have moved anyway; the threat of the pandemic has encouraged others to reevaluate what’s important to them; while for some remote working has stoked a desire for more flexible employment.
But while this shift may ultimately help us find a better work-life balance, in the short term it brings a cybersecurity headache. When employees leave, your company’s data may follow. That can result in issues with confidentiality and compliance, as well as a risk of serious data breaches. Let’s look at the risks, and how your organisation can manage them.
Accidental and malicious data loss can both hit you hard
The proportion of employees who take data when they leave is staggering. Research suggests that 72% of departing staff take some company data with them, whether intentionally or not. This might be anything from forwarding a list of contacts via a personal email account to stealing a serious amount of critical data. It may be done with serious criminal intent, or simply because an employee feels that they’re entitled to hold on to something they’ve created on company time – and that they’re unlikely to get caught. In many cases, employees are simply unaware of what they can and can’t take with them.
Staying on top of offboarding
Managing these risks can be a big job. The most immediate issue that IT and cybersecurity teams will face in the current climate is the need to offboard employees securely and at pace. Inventories will need to be taken on all systems that departing staff have access to and document ownership may need to be switched to other employees. Access to apps, tools, databases will need to be removed, something that’s particularly crucial if the individual was in a senior technical role, with privileged access to data and systems. Shared passwords will also need to be reset.
Securing hardware and migrating data
Company applications may have been accessed via personal devices, making managing data and removing access a vital but time-consuming task. Company laptops and other hardware must also be returned and reset. Some employees may host data on cloud services, which will mean migrating that data to another account or even another platform. It may seem simpler to simply keep paying for the account, but that will likely leave you with a monthly fee (or several if a wave of employees is departing) and an admin headache in the future.
How to limit the risk of data loss
Ending access and regaining hardware will go some way towards limiting the risk of accidental or malicious data loss. But if you undertake these tasks on an ad-hoc basis you risk inconsistency, gaps and – eventually – leaked data. A formal process with offboarding steps that can be replicated across departments, will lighten your workload and reduce the risk of anything slipping through the net.
Offboarding will often mean working closely with your HR department. Making other parts of the business aware of the cybersecurity risks of departing employees is a crucial part of getting buy-in to a series of steps that might include:
Limiting who has access to critical information in the first place via need-to-know access policies
Ongoing and engaging training for all employees that underlines the rules you set around data
Sharing a formal, detailed policy on what data employees can and cannot take when they leave your organisation in an exit interview
Monitoring employee behaviour. Automation can help you look out for suspicious access requests or data transfers, and monitoring shouldn’t just focus on outgoing employees – much data theft occurs before staff announce they are leaving and ensuring employment confidentiality.
Restricting actions such as email forwarding and file sharing
Parting with employees on fair, friendly terms wherever possible
It’s never just about one person
The Great Resignation isn’t just about the people who leave – it’s about the people who remain and the new hires who will work alongside them. New employees are particularly vulnerable to scammers and should be carefully onboarded. You should have a consistent onboarding policy in which cybersecurity needs are stressed.
If departments end up being understaffed, people are more likely to make mistakes. That applies especially to cybersecurity teams, who face a competitive hiring market at the best of times. Forward planning, and encouraging the right team culture, can help.
How the Great Resignation affects data security
Departing employees can prove to be a serious cybersecurity threat, whether by accident or design. When a wave of people leave your organisation at once, the problem can be even more acute. Ensuring you have a firm, consistent policies around access, data and offboarding will help limit your exposure to data security risks, and help your organisation safely navigate the Great Resignation.