Updated November 30, 2023. Originally published December 13, 2022.
Even amidst a cooling job market, retailers and retail-adjacent companies in the US announced well over half a million seasonal positions in September and October of this year, according to data from Challenger, Gray & Christmas.
But with this massive uptick in worker onboarding, organizations may get more than sugar and spice. When new employees—including temporary ones—are given access to sensitive corporate systems without the proper access and oversight controls, it can lead to long term security risks for the business.
Just ask Nordstrom. In 2018, a seasonal hire exploited the retailer’s system to release credit card and social security information for thousands of customers. It was a painful lesson that demonstrated the high price of poor data security—hits to customer confidence and ensuing financial loss—when organizations fail to properly prepare.
Seasonal employees may be a necessity to keep business running smoothly during the holidays, but ensuring these workers have secure access to only the systems they need is equally critical. Think about it: Temporary workers are unfamiliar with your security policies, may lack motivation to follow them, are routinely over-permissioned through default roles, and may even retain access to your systems even after departing.
The risk is real, but the following these four simple tips will help you mitigate the inherent risks of holiday hiring and leverage the season for strategic growth.
Tip 1: Create a role tailored to the access needs of a seasonal employee
Role-based access is a widely accepted best practice for limiting what systems and applications a user can reach based on their role in the organization. Rather than devising and assigning permissions from scratch for every new hire, role-based access enables administrators to create various user profiles that they then assign to a given role, automatically granting different groups of users the permissions and access they need to work.
Role-based access goes hand-in-hand with the principle of least privilege — employees are granted access only to what they need to do their job. By limiting access in this way, organizations can reduce their potential attack surface while remaining productive and efficient.
Perhaps you already have profiles tailored to frontline employees, managers, IT staff, and other positions. It’s good practice to create roles for seasonal workers that allow even less access than your lowest-level year-round employees.
While seasonal employees are helpful and valuable, they are still outsiders. Think of them as guests to your holiday party. You want them to come in and enjoy, but you wouldn't leave the medicine cabinet wide open.
Tip 2: Make sure every employee has their own account
Setting up seasonal employees in your systems can be tough amid the holiday flurry. While it may be simpler to create one account for all seasonal workers to share, doing so makes it nearly impossible to trace an incident back to a particular individual. This lack of an audit trail can lead to non-compliance with various regulations and may also affect your ability to obtain cyber insurance.
Plus, consider this: If your seasonal employees regularly share an account, and you’ve never changed the password to that account, any seasonal hire who has ever worked for you can still access your system.
Tip 3: Implement security best practices like MFA
When most people think of someone breaking into a corporate network, they likely conjure the image of a hoodie-clad hacker pounding away at the keyboard, then proudly announcing, “I’m in!”
In reality, systems don’t pose the greatest risk to your security — users do. 81% of hacking incidents utilize weak and stolen passwords, while malicious insiders and user errors stand as the top two threats to enterprise security.
Bad security practices like account-sharing and weak passwords often don’t stem from laziness or neglect. On the contrary, they are step-saving measures that make it easier to be productive. Implementing security controls almost always adds more clicks or steps to your employees’ work, making their lives harder in small but noticeable ways. For this reason it is crucial to consider which controls to add that will offer the most security with the least complication for your workers.
Multi-factor authentication (MFA) is a security best practice that gives organizations considerable bang for their effort. When MFA is enabled, users will need to provide two or more verification factors in order to gain access to a desired resource. This helps counteract the effect of weak and easily cracked passwords.
MFA isn’t a cure-all, but bad actors are often looking for the path of least resistance. If you’ve implemented MFA for both your regular and seasonal employees, most attackers will likely move on to find a victim with a more vulnerable access point.
Tip 4: Have a plan for offboarding seasonal employees after the holidays
After the rush of the holiday season is over, it’s important to review—and retighten—your system security. This means combing through your network, deactivating seasonal employee accounts, tightening role permissions, rotating passwords, and ideally even performing a detailed end-of-year audit of your network security and attack surface.
Sure, this can feel like a lot of work – but having a plan is half the battle. Just as you box up your decorations and return them to the attic each January, offboarding seasonal workers is simply part of the post-holiday routine.
A Secure Holiday is a Happy Holiday
In the sea of customers, seasonal employees, and transactions that typify the holiday rush, it’s easy to assume a data breach or security incident could never happen to you.
But consider the stakes and the consequences of being wrong. In the retail space, brand reputation and customer confidence can make or break your bottom line — and that’s true all year long.
As more people work and shop from home, the challenges of securing your organization in the pursuit of growth, revenue, and better customer experiences will only grow more high-stakes. These security suggestions are evergreen and should ultimately be applied to everyone accessing your systems, whether they’re a full-time employee, a third-party contractor, or a short-term seasonal worker. By enforcing access based on the principles of zero trust, you won’t need to worry about any unwelcome guests dropping down your chimney.
