If the article title caught your eye, great! You may be asking yourself one or both of the following questions:
- What does the Great Resignation have to do with cybersecurity?
- Is cybersecurity still an issue for me even if my company hasn’t been affected by the Great Resignation?
This article will aim to answer both of those questions so if they are pertinent to you, please read on to learn about these cybersecurity tips.
By now everyone is familiar with the Great Resignation. As a result of the pandemic, workers are reassessing their jobs, careers and work-life balance. Some workers are retiring while others are changing jobs to take advantage of greater pay and work from home capabilities. Others are changing careers towards those with better conditions, hours, etc. The net result is that companies are losing employees at a record pace. I’m not going to get into the statistics behind what all of us are seeing because that isn’t the purpose of this blog, there are better resources for those numbers and as the great Chevy Chase said, “It was my understanding that there would be no math.”
What does cybersecurity have to do with the Great Resignation? A major vector that is exploited by hackers is that of the unattended account. In a company with a well-oiled IT department, when an employee leaves a company, IT has a documented procedure of what is done with that account which can include:
- Forwarding emails
- Disabling the former employee’s account or changing the password
- Limiting the permissions the account has
- Monitoring activity on the account
Alas many companies do not have such a procedure and even for those that may, IT is often the last to hear about employee departures. Sprinkle in the fact that IT departments are struggling even more for resources as a result of the Great Resignation and you can easily see the growing problem. When an account is left unchanged and unmonitored by the employee using it, that account becomes hacker’s gold in trying to hack a company.
Now you may ask yourself “but how does the hacker know that this employee left?” The hacker doesn’t but it doesn’t matter. Many hacking techniques involve casting a wide net and when they are attempting to gain access to dozens of accounts, the ones that are used daily and get noticed by the employee when something odd happens are the accounts that the hacker all of a sudden finds themselves shut out of. But the ones not being used, with passwords unchanged for months, are the ones that don’t shut out the hacker and the hacker eventually gains access. However, don’t also discount those hackers that target a company, view the LinkedIn accounts for employees who work there and identify accounts of individuals who have recently left.
With the Great Resignation you have even more accounts that aren’t disabled or disposed of properly allowing for many ways that hackers can get into your environment and cause financial and reputational damage. Here at Vestige, when we investigate a ransomware matter or another cybersecurity incident, the conversation often goes like this:
Vestige: “It looks like the hacker used the jsmith account and was using it for months.”
Client: “JSmith? That person retired a year ago.”
Some of you reading this might be breathing a sigh of relief. You haven’t been impacted by the Great Resignation because your staff has seen the same, or even less employees leaving in the past two years. Don’t let that sigh turn into a hyperventilating incident with what you are about to read. Unless your company works in a bubble — you have vendors, customers and partners that interact with your employees or maybe have access to data on your system. Think about your outside IT company, or managed service provider (MSP). Vestige has investigated multiple cybersecurity incidents in the past couple of years where it was the MSP, or outside IT, that was breached allowing the hacker to attack the clients of that MSP with the same unfettered access that your trusted provider has in your environment. How did those attacks start? It was no fault on the part of the victim company but instead was started by an unattended account at the MSP related to one if THEIR departed employees. Don’t have an MSP? How about a client or vendor with which you conduct financial transactions? Don’t think that an unattended account can’t start sending email that cause you, or the other company, to send payments to a bank that the hacker controls. For those of you reading this article that have web portals for your clients, who is responsible for what happens with accounts for your client’s systems?
What can be done about all of this? The first step is to assess what situation your company is in. Do you have policies and procedures to properly handle departed employees? Are those procedures being tracked and audited? What do your vendors and partners do? How do you communicate your wishes for what happens with accounts for departed employees? More importantly, what other controls do you have in place to mitigate issues when either your company, or a partner company, doesn’t properly handle accounts for departed employees?
The benefit of working with someone like Vestige to shore up your defenses is we see both sides of the issue. Our Incident Response Team sees how departed employees are used to infiltrate systems and our Cybersecurity Team knows what policies, procedures and practices mitigate these issues. CONTACT US today to explore how we can partner with you in 2022 and beyond.
by Greg Kelley, BS, EnCE, DFCP,
Chief Technology Officer at Vestige Digital Investigations
Follow Vestige on Linkedin