Most cyber security measures that businesses implement focus on protecting themselves against an attack from outside. But what happens if someone is able to attack your business from the inside?
This article from The Register discusses the case of an ex-employee of a credit union in New York who was able to delete over 20GB of data from a shared company drive two days after her employment was terminated.
While the employee was caught, and is facing jail time for her actions, the damage was already done. The credit union’s lax security and backup policies meant that a single disgruntled former employee was able to cause havoc with the business’s data in just a few minutes.
So how can you protect yourself against an attack against your business from a former employee? The answer seems simple; you need rigorous procedures in place for shutting down access when employees leave. And of course, backups.
In this blog post we will discuss what actions you should take when an employee leaves, and how you can protect your business against permanent damage in the event of a security breach.
Shutting down employee access
If you’re anything like us, you use dozens of accounts, usernames and passwords on a daily basis. So it stands to reason that some of this data is more important to your business than others. We’ve written this quick checklist as a good jumping off point for your own policies. Start by writing procedures to handle these accounts, then move on to the more specialist services you use.
Email access should be treated carefully. Being able to remotely sign-out staff that are leaving from their inbox on any connected device is critical. We won’t go into the commercial reasons for blocking access to an ex-employee’s email address, but it’s important to remember not to delete the address entirely. Almost all employees will continue to receive mail from customers and colleagues to their personal inboxes after leaving, so it’s important not to delete any email accounts.
Phone system and communications platforms can cause havoc in the event of a breach. And it’s not always obvious; an ex-employee with enough access to your phone system could make and receive calls from your company phone system without you knowing for weeks. How often do you log in to your phone system to check your call logs? Phone system fraud is expensive, but it’s relatively simple to prevent. While modern cloud-based systems allow access from anywhere, that access can be instantly revoked just by pressing the ‘Delete’ button. Your former employee’s direct dial can then be re-routed elsewhere without any risk of them being able to use it.
CRM accounts should have their passwords changed immediately. CRMs typically contain some of the most commercially sensitive data in your business, so they’re a prime target in a breach. Fortunately, revoking access to your CRM is a simple process in most cases, but it must be done quickly.
Technical resources like your infrastructure, network devices and any cloud services you use should have their credentials updated. This may only apply to your technical staff, and may not even apply to anyone in your business, but these systems lie at the core of your business. In August 2020, a former Cisco employee was able to gain access to their AWS account and delete nearly 500 virtual machines. The employee had left Cisco in March 2020, five months before the breach occurred.
Password managers are your company’s virtual bank vault. With the number of passwords we all use every day, they are practically indispensable. If an employee were to retain access to any company passwords after they left they could wreak havoc to your business. Most password managers rely on multi-factor authentication. It’s important to make sure ahead of time that your employees aren’t using personal devices to secure company data. It’s not enough to simply stop sharing your company’s passwords with ex-employees’ accounts; you need to account for any passwords they have entered themselves.
Building and testing policy
The most important thing to bear in mind when you create policies for closing down former employees’ access is that they must be tested.
When an employee leaves and you need to follow these procedures. Every minute it takes to close down their access increases the risk of a security breach. Take the article from The Register as an example; it wasn’t until two days after her termination that the former employee accessed the shared drive. If the credit union had had rigorous procedures in place. The breach and data loss quite probably never would have happened.
This means that testing your policies before you need them is imperative. It’s a good idea to set up a test user on each of the services or devices your business uses. This will allow you to do a ‘dry run’ of your policies, giving you the opportunity to tweak any details that don’t work precisely as written.
Remember that precision is key; you can’t be sure that the people following these procedures will have deleted accounts or revoked access before, so your procedures must include detailed instructions for every account.
Biscuit are cyber-security experts, and we recognise that security is more than just the technology you use. We’ve helped dozens of our clients create a suite of secure, repeatable and effective policies. This means that with Biscuit handling your IT, security and infrastructure, everything is accounted for. Do you want to find out more about how we can help you keep your business secure? Give us a call on 01924 241 281 today.