As Aotearoa moves into the new year, more than one in three Kiwi workers are looking to change jobs. That means most New Zealand businesses will be onboarding and offboarding staff in the coming months. One thing I often notice as a CISO is how important it is to incorporate cyber security aspects into your onboarding program.
When you add a new employee to your system, you’re handing them access to your company data. That means they’ll be able to explore your company directories and take data offline without anyone noticing. This is not a problem so long as they use it to do their job – but have you thought about what happens to that data when they leave the company?
This is why it’s important for businesses, especially ones that deal with sensitive technology and client information, to have a strong, consistent cyber security practice woven into their onboarding and offboarding processes. Train your team on cyber security do’s and don’ts from day one to set them on the right path.
Here’s a checklist to help you implement cyber security into your onboarding and offboarding programme to promote a strong sense of cyber risk awareness at work.
The more layers the better
Whether your employees work from home or onsite, they must log into the company network to access their work systems and data. Having multi-factor authentication (MFA) enforced across the entire organisation is the first step to cyber security.
Doing so is extremely easy if you’re using cloud-based enterprise solutions such as Google Workspace or Microsoft Office 365. These give you an option to enforce MFA across your organisation. It’s one of the quickest and yet most impactful ways to reduce risk of unauthorised access by hackers, especially in remote working environments.
Another useful tool to add protection to your cyber security front door is to get every employee using a password manager. There are plenty of free options abound, which can easily be downloaded as an app on your phone, or for your desktop.
Provide basic training and guidelines
The next step is to add a section on cyber security in your onboarding material. Make sure your new employee knows where to find security policies, who to contact in case of a security event, and how to spot and deal with a phishing email.
Also give guidance on cyber security best practice. Common sense is not always common practice when it comes to cyber security, and with hackers using sophisticated social engineering techniques in a bid to fool unsuspecting users, vigilance is key. Scams can come via email, text or even through social media, so it’s important to reinforce the dangers around clicking blindly on links, and checking any suspicious messages before you reply or download attachments.
Train people to lock their screens when they leave the computer unattended, and to pick up their printing from the printer straight away. Also make sure they understand how to securely share files, through cloud link and password protection.
If your employees deal with sensitive information, make sure they take extra caution with their work device. Have a clear policy about using work devices for personal use or sharing them with family members.
Leave no door open
Having a consistent offboarding process is just as important. Make sure that when employees leave, there is a protocol in place to ensure their accounts are closed and access revoked. Make sure you track the date the IT team is notified of an exit, as well as the date staff left the business and their account deactivated.
Very few companies have an offboarding process to check what kind of access the employee was given and how it’s been closed or handed over. So quite often, employees can access confidential data long after they have left the business. This could cause problems in today’s remote working environment. To reduce risks, make it a part of offboarding process to change passwords to shared digital channels and assets.
In most cases, line managers handle the onboarding process for their staff members. So, make sure they understand the proper offboarding process to close off all credentials for when their staff members leave.
Lastly, it’s important to have a proper offboarding session to remind the employee of what data they can take with them, and what are the consequences of taking what they’re not supposed to. This can be done by the IT or HR team to ensure consistency, rather than the line manager.
The rise of remote working means we are more connected than ever before. Unfortunately, the convenience of many collaboration tools come at the expense of added cyber risks. A proper onboarding and offboarding process will reduce risks and protect your employees from unknowingly opening doors to external threats. Make the best of the opportunity and start building a positive cyber security culture in your organisation.