“The offboarding piece is still really really problematic – and it’s not a technology issue, it’s a business process issue.”
“In verticals like retail, where you have people come and go and come back again, it doesn’t make sense from a business perspective – if you have seasonal employees – to create their access, terminate it when they go away, and then have to create it again when they come back,” said Patton. “With the gig economy, with these revolving doors of workers, there’s a business need to maintain these accounts, even if you disable the access, but you have to remember to disable the access.”
Lax offboarding policies can lead to data being maliciously or inadvertently exposed, or even unauthorized access to physical controls. Last year, Block revealed that a former employee used their existing access to its Cash App product in order to download customers’ personal information. And in 2019, a former employee of a Kansas-based water facility, Wyatt Travnichek, was able to remotely log into the plant’s computer system without authorization, and tamper with its disinfectant levels. The incident occurred two months after Travnichek’s employment at the water plant had ended; however, the water district used a shared passcode to allow remote access to the plant’s software, according to reports.
Despite these risks, offboarding involves much more than simply removing or undoing what was done to onboard an employee, said Timothy Morris, chief security advisor at Tanium. Many workers are tied to a tangle of different permission settings and accesses that are becoming harder for businesses to track. Access to shared folders, files, corporate accounts and cloud services needs to be revoked, Active Directory accounts disabled and deleted and shared passwords reset.
“Many assume that an ID being disabled is all that’s required,” said Morris. “While that is a good start, it doesn’t mitigate or remove risks. I’ve seen [cases] where systems are integrated tightly as part of onboarding so access is granted as desired, but the lack of mature offboarding processes and integration will leave applications and systems with lingering IDs and credentials that are gold for an attacker. It is wise for organizations to hunt for stale accounts and use watch lists to monitor for any activity for IDs that should no longer be in use.”
Security incidents centralized around offboarding are more common, but threat actors have also leveraged security gaps in the onboarding process as well. In May, industrial control system security company Dragos disclosed an extortion attempt against the company where the threat group started the attack by compromising the personal email address of an incoming sales employee before the new hire started with the company. The group then used the new hire’s personal information to impersonate the employee and undergo several initial steps in the employee onboarding process.