As cyberattacks have become more frequent and severe, many businesses have redoubled their security efforts, determined to reduce their exposure to risk wherever possible. However, several major vulnerabilities have gone unaddressed despite IT professionals’ repeated warnings. This disconnect between IT and management has hampered more comprehensive security efforts and effectively created cybersecurity “blind spots.” Unsurprisingly, my organization CompTIA’s Practices of Security Professionals report found that less than half of firms, regardless of size, are completely satisfied with their current security environment.
CIOs must lead the charge to foster better cybersecurity awareness and address deficient processes in their organization, particularly around employee deboarding. Businesses often do a good job of monitoring and controlling workers’ tech use on the job, but need to better evaluate vulnerabilities in their offboarding process with an eye toward protecting organizational data and resources.
Widespread awareness of security risks among the IT community has not yet translated into action from the C-suite, with 47 percent of professionals battling the perception that current security practices are good enough. At the same time, a third of professionals report that their organization suffers from a poor understanding of security threats. Even more alarming, 29 percent of employees have only a basic or low level of literacy with regard to IT security. Before IT experts can effectively work with HR and other department managers to create a more secure onboarding policy, they must first promote better cybersecurity literacy.
Better security hygiene begins with training, including both during onboarding and through regular mandatory follow-up sessions. Aside from the usual exhortations not to open suspicious emails and attachments, it’s important for IT departments to teach employees good computing behaviors that will both simplify the deboarding process and lay the groundwork for more informed tech use.
When workers understand the risks of carelessly sharing sensitive files outside the organization and why they shouldn’t share account passwords, your organization is less likely to suffer an accidental security breach. At the same time, this provides an opportunity for IT to educate HR about common cybersecurity risks, laying the foundation for future collaboration.
Closing loopholes and increasing oversight
Often, IT isn’t even involved in the deboarding process, except perhaps to collect an employee’s old workstation and prepare it for a new owner. CIOs should coordinate closely with HR executives and managers to embed IT within the deboarding process. It’s not enough to simply change an employee’s email and workstation passwords; even a minimally tech-savvy employee can still remotely access their computer or work email unless precautions are taken. Especially for smaller firms, it’s important to ensure IT has its own processes and policies in place. Aside from merely remaining aware of staffing changes, it’s paramount that IT considers whether employees have administrative rights, what rules around email forwarding and access on personal devices exist, and how licensed app access is controlled.
It’s important to consider ways a careless or disgruntled former employee could put the organization at risk, and mitigate these vulnerabilities through both policy and deboarding-specific changes. For instance, it may be necessary for some or even all employees to have mobile access to their work email. However, IT should then adopt a mobile device management solution that allows the department to remove access to corporate data immediately after an affected employee leaves the firm.
Getting IT out of the basement
IT departments have long cultivated an insular culture, and many organizations still struggle with integrating their technology experts into the company at large. CIOs must take steps to promote coordination between IT and other departments, especially HR, in order to better protect the organization. As cybersecurity threats continue to diversify to include both internal and external sources of risk, it’s imperative for CIOs to integrate their IT departments more fully with the rest of the company.