The need to address off-boarding processes and risks is most timely, as the early 2022 trends known as ”the great resignation”, ”quiet quitting”, and now, the re-evaluation of over-staffing by many companies during the pandemic has given way to a new era of ”loud layoffs” and ”mass off-boarding”.
Neither employees, management or shareholders want the term ”mass off-boarding” associated with their organization. The very process is uncomfortable at best — and dangerous at worst. Failure to properly off-board access in a methodical and comprehensive manner exposes an organization to a myriad of threats and liabilities, including workplace violence, data theft, and more.
In recent weeks, several major US companies have announced that they are making significant cuts to their workforce in an effort to offset the fear of a recession and inflated labor costs. Employee terminations are increasing from hundreds to tens of thousands at a time. This poses unique access risks and insider threats to the organizations who are conducting these layoffs.
As a result, it has never been more important for organizations to review their current off-boarding processes. Regardless of whether mass layoffs are planned or not, it pays to implement an effective off-boarding process that is comprehensive, automated, and proactive to ensure that all access is correctly off-boarded. — After all, it only takes a single disgruntled ex-employee to cause irreparable damage to your company and its assets. The most important assets of all of course are your remaining employees.
The Typical Off-Boarding Process
When an employee resigns or is terminated, the next step is typically to schedule and undertake the revocation of their access. This includes physical access to facilities via keys, badges, fobs, the returning of assets such as laptops, cellphones, etc and the removing their access to connected and disconnected systems and accounts.
Off-boarding is typically triggered by the employee’s manager and/or a People and Culture representative initiating one or many support requests and emails, as well as validating manually that automated workflows completed successfully. Handling support requests to revoke access for individual employees across multiple business systems simultaneously is typically time-consuming, introduces significant opportunities for error and often results in what is now being referred to as ”Access Chaos”.
Erroneous access is further compounded as the teams that manage and coordinate the access, struggle to keep up with the sheer number and frequency of staff changes, resulting in a backlog of requested permission changes. The level of chaos and risk grows as the number of employees joining, moving, and leaving increases.
A terminated and disgruntled employee may seek to cause harm to the organization and its employees in a couple of different ways.
The first is in the form of data theft; wherein the employee attempts to forward, share, or destroy sensitive company data. Such an infraction can also lead to compliance violations or breaches of confidentiality that can further cause a company irreparable damage.
The second, also the worst-case scenario; via a physical security threat, where the employee enters a facility to carry out acts of violence. Despite whether an organization is aware that they’re experiencing Access Chaos or not, the risks are the same, and they require mitigation.
Advantages of Automation
One of the largest contributors to Access Chaos is the disconnected nature of siloed business systems and functions. High-risk, complex, and legacy systems often operate in isolation, disconnected from both people data and related processes. This means, for example, that even though an employee has been denoted as terminated’ within the HR System, the Physical Access Control System that manages access to the buildings may not automatically revoke access until a manual request to remove access has been made. This is how an ex-employee gains inappropriate access to facilities even after offboarding.
Automating off-boarding allows the process to take place across the enterprise (in some cases in near real-time). Modern software solutions now have the ability to virtually map data from disparate systems together quickly, delivering immediate visibility of the related data within Physical Access Control Systems (PACS), Human Resources (HR), Active Directory (AD) and other high-risk business applications, etc.
Once problematic access rights have been detected, these rights are then checked against security and safety policies configured in the system to identify unauthorized access. For example, if an employee is off-boarded and identified as inactive within the HR software, the system can be configured to issue an alert that the employee still retains physical or logical access identified in other systems. This process can now be taken one step further as the automated system initiates corrective actions to be pushed from the platform to a ticketing or other system for remedial action.
Getting Started
Deploying such software previously took months and years of effort and duration. New advances in technology, coupled with a pandemic to fuel progress, has resulted in more modern solutions that mitigate these risks by removing the daunting, error-prone, and time-consuming processes associated with manual off-boarding — and they do so on a massive scale across the enterprise.
Gaining visibility of Access Chaos and mitigating the risk within manual off-boarding processes are essential in today’s fast-moving landscape. Companies require a simple and holistic view into who has access to what’ within their buildings and systems so that they are immediately able to take action to ensure only the right people have access.
It is time that Physical Security, Operational Technology, IT, HR, and other authorized personnel are able to easily collaborate, review, and take action to mitigate unauthorized access. They need this not only from the perspective of off-boarding, but also to support other operational processes such as demonstrating various industry compliance standards such as ISO 27001, HIPAA, SOX, and many others.
By holistically identifying and managing the access footprint of every identity across the enterprise, companies are able to ensure their facilities, assets and data are continuously protected from inappropriate access by one or many individuals.
To learn more about RightCrowd Access Analytics, contact us.
