Many security teams have prioritized defending against external threat actors or insider threats, but the critical juncture of workers coming into - and leaving - businesses is sometimes overlooked. While onboarding and offboarding play an important role in keeping tabs on access, permissions and privileges, these are operationally complex, time-consuming processes - and security frequently falls between the cracks.
Organizations are dealing with a multitude of complexities across their onboarding and offboarding processes. It’s difficult for companies to maintain visibility over employees' access to dozens of applications and systems. And it’s not just employees anymore: With the emerging gig economy and the increasing outsourcing of businesses, onboarding and offboarding processes now need to account for anyone who might need access to data within the organization - whether that’s a contractor, a regulator, a partnering business - even students, as part of the higher education landscape.
“The offboarding piece is still really really problematic - and it’s not a technology issue, it’s a business process issue,” said Helen Patton, CISO for the Security Business Group at Cisco. “This is a known issue that every CISO, auditor and compliance office deals with. It’s super challenging to balance the needs of the business with what seems like a simple thing, which is if [a person] left the company, to just cut off her access.”
Though various automation solutions have streamlined onboarding and offboarding procedures, from an operational perspective the end to end processes here are still complex and are owned by multiple departments within an organization.
The Human Resources department may manage the employee side of offboarding and onboarding - including background checks, the recruiting process and exit interviews - but there are many other different components at play here. The IT department may own the enterprise application that would manage these HR processes, with security layered on top. Other departments may also be a part of this process as well, such as the purchasing department for contractors or customer support for a business-to-business partnership.
The number of players involved here can pave the way for potential authentication and access issues, as well as for miscommunication and mistakes. These challenges are exacerbated in vertical markets with “revolving doors of workers,” said Patton.
“The offboarding piece is still really really problematic - and it’s not a technology issue, it’s a business process issue.”
“In verticals like retail, where you have people come and go and come back again, it doesn’t make sense from a business perspective - if you have seasonal employees - to create their access, terminate it when they go away, and then have to create it again when they come back,” said Patton. “With the gig economy, with these revolving doors of workers, there’s a business need to maintain these accounts, even if you disable the access, but you have to remember to disable the access.”
Lax offboarding policies can lead to data being maliciously or inadvertently exposed, or even unauthorized access to physical controls. Last year, Block revealed that a former employee used their existing access to its Cash App product in order to download customers’ personal information. And in 2019, a former employee of a Kansas-based water facility, Wyatt Travnichek, was able to remotely log into the plant’s computer system without authorization, and tamper with its disinfectant levels. The incident occurred two months after Travnichek’s employment at the water plant had ended; however, the water district used a shared passcode to allow remote access to the plant’s software, according to reports.
Despite these risks, offboarding involves much more than simply removing or undoing what was done to onboard an employee, said Timothy Morris, chief security advisor at Tanium. Many workers are tied to a tangle of different permission settings and accesses that are becoming harder for businesses to track. Access to shared folders, files, corporate accounts and cloud services needs to be revoked, Active Directory accounts disabled and deleted and shared passwords reset.
“Many assume that an ID being disabled is all that's required,” said Morris. “While that is a good start, it doesn't mitigate or remove risks. I've seen [cases] where systems are integrated tightly as part of onboarding so access is granted as desired, but the lack of mature offboarding processes and integration will leave applications and systems with lingering IDs and credentials that are gold for an attacker. It is wise for organizations to hunt for stale accounts and use watch lists to monitor for any activity for IDs that should no longer be in use.”
Security incidents centralized around offboarding are more common, but threat actors have also leveraged security gaps in the onboarding process as well. In May, industrial control system security company Dragos disclosed an extortion attempt against the company where the threat group started the attack by compromising the personal email address of an incoming sales employee before the new hire started with the company. The group then used the new hire's personal information to impersonate the employee and undergo several initial steps in the employee onboarding process.
“It is important that organizations take a closer look at their workflows to ensure they are granting access to the correct person.”
Morris said that the explosion of remote work - which has in large part translated to the hiring process being virtual - means that organizations need to take extra steps to verify that candidates are who they say they are, but also carefully examine how they assign corporate identities with certain accesses and how credentials (like passwords, tokens or passkeys) are granted. Overall, businesses need to remember that a new hire is moving from an untrusted person to being given a trusted corporate identity, he said.
“It is important that organizations take a closer look at their workflows to ensure they are granting access to the correct person,” he said. “There has to be integrity built into the entire hiring process: from recruiting, interviewing, pre-boarding, and onboarding to reduce and mitigate the associated onboarding risk.”
Morris said that authentication, authorization and accounting (or logging of all access) are three basic security measures for organizations across the onboarding and offboarding processes for employees, contractors and third parties.
However, overall, organizations need to understand their onboarding and offboarding processes from an end-to-end perspective before building technology or security solutions on top of them - and that type of understanding it very rare, said Patton.
“It’s very common to say ‘HR understands their process right up until the point where they hand that off to another group like IT,’” said Patton. “But you need someone who owns end to end the onboarding and end to end the offboarding process and really takes the time to understand the actions that happen in those processes but also the data flows - where does it go, where does it come from, how do you keep it, how do you delete it - all of that needs to be taken in account and owned by one functional area within an organization.”