There are many reasons why an organisation may want to implement an effective Information Security Management System (ISMS), and the vast majority choose to proceed to have this independently assessed for ISO 27001 certification to give their stakeholders, customers and employees confidence in their approach....
COVID-19: Risks from staff turnover
Whilst there may be a glimmer of hope that the gradual process of coming to terms with COVID-19 is upon us, with vaccinations and more effective testing programmes, many businesses are re-evaluating how they can safely and securely accommodate remote working into their normal operations. Recent observations have highlighted how we need to proactively seek out the new and changed risks that this may introduce, and ensure that our risk management activities are updated accordingly to remain effective.
For new personnel, an effective framework for onboarding needs to include many different considerations. We need to issue assets securely, perhaps by courier to their home address, and give thought to how initial user credentials can be issued which require changing at first login. Every effort should be made to provide remote information security and data protection training as quickly as possible, perhaps via Zoom or Teams, to explain your organisation’s security posture and how the new colleague can seek guidance and report problems.
Over recent weeks, targeted phishing attacks seems to be focused on new starters – those who are less likely to be aware of the “look and feel” of a phishing email, as well as being much more likely to respond to an “urgent email” claiming to come from a senior member of the board. It may be the case that threat actors are zoning in on career updates and new job congratulations posted on LinkedIn or similar social media platforms … we just need to ensure that new colleagues are aware of their vulnerability to this type of attention.
All personnel should be included within regular security briefings and training exercises. There are likely to be co-workers you may not have seen for a year or so now, and we need to ensure that the complacency and comfort of home working does not challenge the effectiveness of your ongoing commitment to keep on top of information security, data protection and corporate governance requirements. Short, sharp 10-minute briefings on bite-size subjects can be very rewarding: managing passwords, reporting security incidents, email data minimisation for GDPR, etc.
Security vulnerabilities and vendor patches are almost a daily occurrence. How do you ensure that all assets are being properly protected with firmware updates and software patching … do all asset owners understand what to look for and what to do?
Turning our attention to leavers for a moment, we need to reflect on the risks that they may leave behind. Whilst many businesses can disable access to corporate resources by making changes to Active Directory (for example), what of all the external cloud services where an ex-colleague may have maintained their own credentials? It’s important to record ALL levels of access and privilege that an individual has been granted, and diligently ensure that they are all promptly disabled once they leave our employment. You may wish to consider how you retain business communications and data from former staff, but this should in accordance with your published Data Retention Schedule, and the data minimisation requirements of GDPR.
The recovery of ALL assets (did they have any USB media issued?) should be a focus, with any data sanitisation activities to be undertaken by the organisation rather than the former employee. One challenge here is for those businesses who have consciously permitted the use of BYOD devices. What controls and checks do you have in place to ensure that a former colleagues has properly removed any of your organisation’s data from their own personal assets at the point of departure?
This is purely a starter to assist your planning – each of the risks identified above should be acknowledged within an appropriate risk assessment (as required by the ISO27001 certification for information security). This is the only true method by which you readily identify whether risks from starters and/or leavers are acceptable to your organisation, and provide an escalation for those matters which need additional focus to ensure your business remains effective. InfoSaaS risk assessments are already aligned to many of the threats and vulnerabilities highlighted within this article … evaluate for yourself by reviewing our suite of demonstration software today.