Over the past three years, the Covid-19 pandemic and resulting economic upheaval have triggered multiple waves of employee retention challenges, ultimately becoming one of the most significant workforce disruptors in history.
Initially, the emergence of the "Great Resignation" phenomenon prompted a surge in employees actively seeking new opportunities, compelling companies to scramble to fill roles and resort to offering competitive incentives in a bid to retain valuable talent. More recently, the business landscape has been engulfed by a sweeping wave of mass layoffs spanning multiple industries.
Of course, employees come and go all the time, and good offboarding processes are important; however, they are even more crucial amid job market volatility and, in particular, mass layoffs. Terminated employees often retain unwarranted levels of access to user accounts, expanding the attack surface for a nefarious actor to exploit. In this blog post, we will delve into the cyber risks posed by terminated employees and suggest practical steps to effectively mitigate these pressing security vulnerabilities.
Today’s economic climate has resulted in a large number of involuntary employee departures. These exits spark the possibility of frustrated or disgruntled former employees re-accessing critical business information. This can include infrastructure-as-code, private GitHub repositories, customer data, SaaS application logins, and more.
And if you think “My employees wouldn’t do that,” think again. Studies reveal that more than 83% of ex-employees admit to accessing their previous employer's accounts.
These access attempts may not all necessarily be malicious, but malintent isn't the only danger. A terminated employee's leftover account credentials widen a company’s overall attack surface and leave it open to “Initial Access” steps in the MITRE ATT&CK killchain. Exploitation can occur even within innocuous applications, ranging from everyday tools such as Slack to critical production code in GitHub.
In the current job market, marked by an influx of layoffs within the tech sector, hackers are actively exploiting news of workforce reductions to specifically target recently terminated employees, further intensifying the urgency to address these security concerns head-on.
In the wake of strained relationships between companies and former employees, attackers have developed tactics to use terminated employees to gain access to company assets. These typically come in the form of social engineering methods that directly target an employee's emotions and sudden unemployment status directly.
In times of job market volatility, job scams proliferate. Attackers target ex-employees from companies who have recently undergone significant workforce reductions. Through enticing offers, they trick the ex-employee with a phishing link to gain access to the user’s system. Once inside they can extract sensitive information (like common security questions for password resets) and steal login information.
Attackers may also offer direct compensation to terminated employees in exchange for sensitive information or access. If ex-employees are disgruntled or haven’t been properly offboarded, they can cause serious damage to the company.
It may be layoffs making the headlines, but hiring is also happening. The innocuous actions of new employees can provide an observant malicious actor with the info they need to mount an attack. “Badge pics” or “first-day pics” may, for example, accidentally reveal a Post-It note in the background containing a password. Attackers can also easily recreate the barcode shown on an ID badge.
By understanding these tactics, organizations can remain vigilant and implement comprehensive offboarding processes to reduce their attack surface. This can be as simple as creating a checklist for all offboarded employees with actions of de-provisioning login credentials, disconnecting user access to messaging services (like Slack), and revoking access to any non-Single Sign-On-based system.
To mitigate the risks associated with terminated employees and safeguard your business, it is crucial to implement robust security measures. Here are some key steps to consider:
Prevent poor security hygiene: Encourage employees to refrain from account sharing and adopt strong password practices. Shared accounts and stagnant passwords significantly increase the likelihood of terminated employees retaining access.
Coordinate HR, finance, IT, and security teams: Establish a collaborative effort between these departments to create a comprehensive inventory of devices and accounts that must be promptly revoked when an employee leaves the organization. This ensures that access termination is carried out efficiently and effectively.
Implement single sign-on (SSO): SSO simplifies the process of access revocation by enabling the removal of all access rights in one centralized action. By integrating SSO into your organization's infrastructure, you can streamline the termination process and minimize the risk of lingering access.
Protect your data: Employ visibility, control, and remediation tools to monitor and prevent the unauthorized transfer or disclosure of sensitive data and intellectual property. Consider implementing measures such as blocking screenshots, print jobs, transferring data to unauthorized devices, or restricting copy/paste clipboard access.
Gain visibility into risky behavior: Using a threat detection platform or user and entity behavior analytics (UEBA) software can help organizations achieve visibility into any malicious or otherwise unusual activity by user accounts. If an old account is still active, activity will trigger a notification that can be responded to in a timely manner.
Have some tact: A callous offboarding experience, especially in such a turbulent job market, can push people to be less hesitant about exploiting sensitive information. Even in difficult circumstances, remember to treat employees with respect and remind them of their contractual obligations around offboarding.
Mass layoffs are not easy for anyone, employers or employees. Terminated workers may be angry, while security and IT teams may be overwhelmed at the thought of offboarding dozens, hundreds or even thousands of employees. However, in light of the security concerns we’ve highlighted in this blog, organizations simply must prioritize the protection of their assets and users by identifying and then rectifying any gaps within their current offboarding process.