The holiday season is upon us and with it comes the hiring and onboarding of seasonal workers—a 7% staffing increase in the retail sector, according to the Bureau of Labor Statistics.
However, gifts and good times aren’t the only things being shared during this festive period. As organizations bring on seasonal help, their access to critical systems can create long term security risks for the business.
Just ask Nordstrom. In 2018, a seasonal hire exploited the retailer’s system to release credit card and social security information for thousands of customers. It was a painful lesson that demonstrated the high price of poor data security—hits to customer confidence and ensuing financial loss—when organizations fail to properly prepare.
Seasonal employees may be a necessity to keep business running smoothly during the holidays, but ensuring these workers have secure access to only the systems they need is equally critical. Think about it. Temporary workers are unfamiliar with your security policies, often lack the will to follow them, are routinely over-permissioned through default roles, and can at times retain access to your systems even after departing.
The risk is real, but the following four simple tips will help you mitigate the inherent risks of holiday hiring and leverage the season for strategic growth.
Tip 1: Create a role tailored to the access needs of a seasonal employee
Role-based access is a widely accepted best practice for limiting access to systems based on a user’s role in the organization. Rather than devising and assigning permissions from scratch for every new hire, role-based access enables administrators to create various user profiles that they then assign to a given role, automatically granting different groups of users the permissions and access they need to work.
Role-based access goes hand-in-hand with the principle of least privilege — employees are granted access only to the systems and applications they need to do their job. By limiting access in this way, organizations can reduce their attack surface while remaining productive.
Perhaps you already have profiles tailored to frontline employees, managers, IT staff, and other positions. It’s good practice to create roles for seasonal workers that allow even less access than your lowest-level year-round employees.
While seasonal employees are helpful and valuable, they are still outsiders. Think of them as guests to your holiday party. Of course, welcome them in, but be sure to lock the medicine cabinet.
Tip 2: Make sure every employee has their own account
Setting up seasonal employees in your systems can be tough amid the holiday flurry. While it may be simpler to create one account for all seasonal workers to share, doing so makes it nearly impossible to trace an incident back to a particular individual. This lack of an audit trail can lead to non-compliance with various regulations and may also affect your ability to obtain cyber insurance.
Plus, consider this: If your seasonal employees regularly share an account, and you’ve never changed the password to that account, any seasonal hire who has ever worked for you can still access your system.
Tip 3: Implement security best practices like MFA
When most people think of someone breaking into a corporate network, they likely conjure the image of a hoodie-clad hacker pounding away at the keyboard, then proudly announcing “I’m in!”
In reality, systems don’t pose the greatest risk to your security — users do. 81% of hacking incidents utilize weak and stolen passwords, while malicious insiders and user errors stand as the top two threats to enterprise security.
Bad security practices like account-sharing and weak passwords often don’t stem from laziness or neglect. On the contrary, they are step-saving measures that make it easier to be productive. Implementing security controls almost always adds more clicks or steps to your employees’ work, making their lives harder in small but noticeable ways. For this reason it is crucial to consider which controls to add that will offer the most security with the least complication for your workers.
Multi-factor authentication (MFA) is a security best practice that may give you the most bang for your effort. When MFA is enabled, users will need to provide two or more verification factors in order to gain access to a desired resource. This helps counteract the effect of weak and easily cracked passwords.
MFA isn’t a cure-all, but bad actors are often looking for the path of least resistance. If you’ve implemented MFA for both your regular and seasonal employees, most attackers will likely move on to find a victim with a more vulnerable access point.
Tip 4: Have a plan for offboarding seasonal employees after the holidays
After the rush of the holiday season is over, it’s important to review—and retighten—your system security. With all the access points created through the onboarding of new seasonal workers, you need a well-defined process to offboard them.
This means combing through your network, deactivating seasonal employee accounts, tightening role permissions, rotating passwords, and performing a detailed audit of your network security and attack surface.
Sure, this can feel like a lot of work – but having a plan is half the battle. Just as you box up your decorations and return them to the attic each January (or March), offboarding seasonal workers is simply part of the post-holiday routine.
A Zero-Trust Holiday
In the sea of customers, seasonal employees, and transactions that typify the holiday rush, it’s easy to assume a breach or incident could never happen to you.
But consider the stakes and the consequences of being wrong. In the retail space, brand reputation and customer confidence can make or break your bottom line — and that’s true all year long.
As more people work and shop from home, the challenges of securing your organization in the pursuit of growth, revenue, and better customer experiences will only grow more high-stakes. These security suggestions are evergreen and should ultimately be applied to everyone accessing your systems, whether they’re a full-time employee, a third-party contractor, or a short-term seasonal worker. By enforcing access based on the principles of zero-trust, you won’t need to worry about any unwelcome guests dropping down your chimney.