Organizations have to constantly be on the lookout for ways their data might be under attack. However, it occasionally comes from an unsuspected source, inside the organization, from a disgruntled employee looking to take advantage of their insider information. However, with proper checks and controls in place and overseen by multiple employees, many of these potential scenarios can be eliminated or reduced. In a December 7th, 2016 CNN report, a former IT employee for Expedia sold off sensitive information about company executives he was able to obtain thanks to a company-issued laptop he had kept after his termination. According to CNN, that worker used the laptop to access devices and email accounts used by senior Expedia executives. He then traded that information, earning roughly $300,000.
We believe the security breach, financial damages, and resulting bad press could have been avoided with an effective on and off-boarding process. The problem is, corporations rarely review this process after it is initially put in place. Changes in the workforce such as employees who bring their own devices, or remote workers who rarely visit the office are just a few factors many companies have failed to account for in their on and off-boarding procedures.
There are several areas where an effective on and off-boarding process can limit your risk:
- Asset assignment
- Centralized secure control of assets
- Accountability for recovering assets at employee termination
- Shutdown network access
Let’s start at the beginning. HR sends an alert to IT to notify them that a new employee is starting on a specific date. Based on their role, it is predefined what type of asset the new employee should receive. When an employee officially starts, they are assigned a computer to use for corporate work. The serial number and barcode associated with that asset should then be associated with the employee in an asset database. Any changes to the asset should be updated and maintained in the IT asset management (ITAM) tool. In the case of BYOD, a company might install a virtual image on the endpoint and manage their software and data access using that method.
Since this employee worked in IT, they may have had access to the controlled asset stockroom where the new and used assets are stored. To avoid loss and theft of assets, centrally controlling access to the stockroom should be handled the same way the data center is secured. When assets are received, the barcode tag on the exterior of the box should be scanned at the receiving dock, compared to the purchase order, and then passed to IT for securing in the stockroom. The data from the barcode scanner is uploaded and formally entered as a record into the ITAM tool. The state is recorded into the system as received. When it is put on the shelf available for deployment, the state changes to “available”.
If there is concern about assets being stolen from the stockroom, there are tracking systems that can record when assets are removed from the shelf and employee Identification card key swipes to identify who has entered the room. Access should be limited to only a select group of employees that are responsible for handling deployments and changes. Even when old assets are being disposed of, they should remain in a controlled area until they are data wiped or transferred to a disposal vendor.
An effective asset governance plan would define who was responsible for recovering an asset from an employee. If HR does a standard exit interview, that would have been the correct time to retrieve assets that can contain data and access the corporate network back from the employee. If the manager meets with the employee, they should be responsible for collecting assets. In the case of a non-IT employee, IT support may be responsible for asset recovery.
Even if it is believed that all assets are returned to the company, it should be standard practice to discontinue email and network access automatically on an employee’s last day. It is not unusual for disgruntled employees to access the corporate network after they have been terminated. This creates a corporate data risk that all security teams should be aware of. Regardless of whether the termination was amicable or not, the standard process should be that network access is discontinued on the last day of employment.
We at Ivanti have several suggestions to reduce your organization’s risk and refine your employee on and off-boarding process. First, start by looking at the tools at your disposal. If your IT asset management tool has out-of-the-box processes built in, it makes sense to customize these processes to reflect the different types of workers – remote, onsite, BYOD. Integrating your ITAM tool with your HR systems will ensure that any changes to an employee’s status is updated and received in real time. This will reduce the chance of an employee leaving and IT not knowing about it until days or weeks later.
Periodic physical inventories of the stockroom would reveal if an asset is missing and unaccounted for. This would kick off a process to locate the lost asset. A clearly defined process for selecting assets to fulfill requests would define which assets are deployed and when. A barcode scanner can reduce the amount of manual data entry and streamline the tracking process, thereby making technicians more effective.
We hope that your company doesn’t become a headline. Annually reviewing your processes to ensure that they reflect current state in your environment will help identify holes and allow time to proactively address them. This rigor will hopefully give asset managers one less thing to worry about.