Last month, you were invited on a unique trip down the path of how much a disgruntled employee could wreak havoc on a company. Given just a few bad ideas, URLs, and just a little bit of cash, we drew a dark picture of what COULD happen if you elect to take Cyber Security lightly and maintain a subpar employee termination policy.
It would simply be a disservice to the reader if I gave you only the venom of a cyber security issue, but not the antidote. Allow me to lay a few pointers any CEO, Human Resources, Operations Officer, or Manager should be cognizant of when terminating an employee. If you were lucky enough to read last month’s Lens of Exploitation, the following advice should soothe any concerns Part 1 of this series illuminated.
So my dear readers, from soup to nuts, here is the full mitigation plan to ensure the activities outlined in Part 1 of The Lens of Exploitation are not a risk to your organization.
Step 1 – How you Hire
The first steps in ensuring you have a tight employee termination program is to ensure your hiring process is up to par. No matter the position, I suggest you perform background checks on all personnel prior to hiring them. The intensity of the background check should depend on the employee’s position and the level of access to company resources the individual will have. As an example, someone applying for an entry-level position at a University will not require the same level of background check as someone applying for a position with the Ministry of Defense. However, if the individual were applying for a position within a University requiring access to funds or other sensitive materials, a more thorough check should be in order.
Because of the legal ramifications of a background check, it’s always wise to consult with legal counsel. This can help you determine if there are any legal restrictions you must abide by and, obviously, help your organization avoid any legal troubles.
Step 2: The On-boarding Process
The on-boarding process (employee orientation) is your first direct chance to emphasize security’s importance within the organization and to arm new employees with proper security awareness training. Furthermore, this training should also be customized for the employee’s position’s security requirements. Your organization should require new employees to sign a non-disclosure agreement promising to protect sensitive data. During the security awareness training, employees should also sign an acceptable use policy stating they have read and understand the company’s security policies and the ramifications for non-compliance.
These signed documents will protect the company, in a legal capacity, in the event an employee is terminated.
Step 3: Company Security Requirements
Security training doesn’t end with orientation. It’s an ongoing, continually evolving process to meet the needs of the organization. Security requirements will change from one organization to another, and, depending upon the security needs of the environment, some practices may be more appropriate than others. For instance, revolving background checks may be necessary to determine if an employee has become a security risk. Once again, to avoid serious legal repercussions, having legal counsel present would be in your company’s best interest. Also, if any actions are taken as a result of information gleaned from an investigation, it should be cleared with an attorney.
Step 4: Post Employee Termination
As noted in Part 1 of this series, there are always concerns to negotiate when terminating an employee. Therefore, it is vital the process be as fluid as possible. Holding an exit interview reduces this risk. It is a good time to remind employees they are legally bound to comply with the organization’s security policies as dictated by the non-disclosure and confidentiality agreements they signed. Additionally, it is important to retrieve physical items like keys and keycards, disable accounts, and deactivate the employee’s access to areas and services that were once privilege. This will prevent them from remotely accessing services and information they should not be.
The team responsible for your organization’s security polices should take these steps into account, because the greatest vulnerability can be the people working for the organization. However, it’s important to remember, while the security team helps create the policies and procedures for suspending a user’s access, they should not be the ones to make the decision.
Unfortunately, employee termination is inevitable. To minimize the risks a termination can create, it’s important to plan accordingly for this situation. With that said, use this checklist, which highlights key factors to consider when developing employee termination procedures:
Always have at least one other individual present when informing any employee of their termination. For instance, have a meeting with the employee, their supervisor, and a human resource manager. Do not fire them in a public manner — that can be embarrassing and draw further attention to the situation. Doing the aforementioned will also place fuel to the fire if the employee does decide to go rouge. Keep it calm and with business overtones. Nothing should be personal in these sensitive times.
Last, but not least, deactivate access to the network and vital service the employee once had. Retrieve all physical access devices such as IDs, keys, and smart cards.
The above bits of advice should give you a bit of perspective when thinking about the next termination happening within your organization. I digress, The Lens of Exploitation part 3 arrives next month. Stay Tuned. Read the exclusive feature on “The Lens of Exploitation-Part 1”, click here.
Edited January 2020.
Original exclusive feature on “The Lens of Exploitation-Part 2” in BizBahrain July 2016 issue, pg, 62 – 63, by J.Tate, bits&digits.
Last month you were invited on a unique trip down the path of how much a disgruntled employee could cause havoc on a company. Given just a few bad ideas, URLs, and just a little bit of cash we drew a dark picture of what COULD happen if you select to take Cyber Security lightly and maintain a subpar employee termination policy.
It would simply be a disservice to the reader if I gave you only the venom of a cyber security issue but not the antidote, allow me to lay a few pointers so that any CEO, Human Resources,Operations Officer or Manager should be cognizant of when terminating an employee. If you were lucky enough to read last months Lens of Exploitation, the following advice should soothe any concerns Part 1 of this series illuminated.
So my dear readers, from soup to nuts here is the full mitigation plan to ensure the activities outlined in Part 1 of The Lens of Exploitation are not a risk to your organization.
Step 1 – How you Hire
The first steps in ensuring you have a tight employee termination program is to ensure your hiring process is up to par. No matter the position I suggest you perform background checks on all personnel prior to hiring them. The intensity of the background check should depend on the employee’s position and the level of access to company resources that the individual will have. As an example, someone applying for an entry-level position at a University will not require the same level of background check as someone applying for a position with the Ministry of Defense. However, if the individual were applying for a position within a University that has access to funds or other sensitive materials, a more thorough check should be in order.
Because of the legal ramifications of a background check, it’s always wise to consult with legal counsel. This can help you determine if there are any legal restrictions you must abide by, and obviously help your organization avoid any legal troubles.
Step 2: The On-boarding Process
The on boarding process (employee orientation) is your first direct chance to emphasize security’s importance within the organization and to arm new employees with proper security awareness training. Furthermore, this training should also be customized for the employees position’s security requirements. Your organization should require that new employees sign a non-disclosure agreement, promising to protect sensitive data. During the security awareness training, employees should also sign an acceptable use policy stating they have read and understand the company’s security policies and that they understand the ramifications for non-compliance.
These signed documents will protect the company in a legal capacity, in the event an employee is terminated.
Step 3: Company Security Requirements
Security training doesn’t end with orientation. It’s an ongoing process that should continually evolve to meet the needs of the organization. Security requirements will change from one organization to another and, depending upon the security needs of the environment, some practices may be more appropriate than others. For instance, revolving background checks may be necessary to determine if an employee has become a security risk. Once again, to avoid serious legal repercussions, having legal counsel present would be in your company’s best interest. Also, if any actions are taken as a result of information gleaned from an investigation, it should be cleared with an attorney.
Step 4: Post Employee Termination
As noted in part 1 of this series there are always concerns to negotiate when terminating an employee. Therefore, it is vital that the process be as fluid as possible. Holding an exit interview reduces this risk as it is a good time to remind employees that they are legally bound to comply with the organization’s security policies, as dictated by the non-disclosure and confidentiality agreements they signed. Additionally, it is important to retrieve physical items like keys and keycards, disable accounts, and deactivate the employee’s access to areas and services that were once privilege. This will prevent them from remotely accessing services and information they should not be.
The team responsible for your organization’s security polices should take these steps into account, because the greatest vulnerability can be the people that work for the organization. However, it’s important to remember that while the security team helps create the policies and procedures for suspending a user’s access, they should not be the ones to make the decision.
Unfortunately, employee termination is inevitable. To minimize the risks that a termination can create, it’s important to plan accordingly for this situation. With that said, use this checklist, which highlights key factors to consider when developing employee termination procedures:
Always have at least one other individual present when informing any employee of their termination. For instance, have a meeting with the employee, their supervisor and a human resource manager. Do not fire them in a public manner-that can be embarrassing and draw further attention to the situation. Doing the aforementioned will also place fuel to the fire if the employee does decide to go rouge. Keep it calm, and with business overtones. Nothing should be personal in these sensitive times.
Last but not least deactivate access to the network and vital services that the employee once had.Retrieve all physical access devices such as IDs, keys and smart cards.
The above bits of advice should give you a bit of perspective when thinking about the next termination that happens within your organization. I digress, The Lens of Exploitation part 3 arrives next month. Stay Tuned. Read the exclusive feature on “The Lens of Exploitation-Part 1”, click here.
