Tech tips to manage temp workers
Courion provides five golden rules for reducing security risk posed by temporary Christmas workers Access governance, provisioning, and compliance expert, Courion Corporation has released its five golden rules for enterprises to reduce the security risk posed by temporary workers hired during the Christmas holiday season.
Courion provides “five golden rules” for reducing security risk posed by temporary Christmas workers
Access governance, provisioning, and compliance expert, Courion Corporation has released its “five golden rules” for enterprises to reduce the security risk posed by temporary workers hired during the Christmas holiday season.
Inadequate access controls for seasonal employees can lead to significant financial and brand damage for organisations and their customers, as was seen in the recent case of the temporary AT&T worker who stole the social security numbers of 2,100 co-workers and took out loans totalling more than $70,000 (£43,178) in their names or the Bank of New York temp that siphoned $1 million (£617,000) from customers by setting up “dummy” bank accounts.
Staff attrition puts spotlight on IT
A CareerBuilder survey found that nearly one in five companies plan to hire temporary employees in the forth quarter (Q4) of 2009 to meet the Christmas rush, and 25% of these employers will add more than 50 workers. Additionally, Fedex and UPS announced they will hire 64,000 temporary employees to meet increased shipping needs this Christmas. As companies take on these additional temporary workers, it is imperative that they apply and enforce stringent Access Assurance policies across all three phases of the employment period – time of hire, duration of employment, and contract completion – to help ensure protection of confidential company and customer information.
Ironically, many enterprises do not have dedicated security policies and controls for temporary workers, due to IT staff capacity limitations or the misguided belief that short-term workers “don’t have enough time” to be dangerous. Courion recommends that enterprises address this gaping hole in their security armour by adopting its “Five Golden Rules” for Access Assurance, which includes:
1. Clearly defining temporary roles – at the time of hire, it’s important to immediately define access for temporary employees to company resources based on each worker’s specific job function. This is an efficient and secure way to enable (and later easily disable) access for temporary workers, particularly for organisations hiring in large numbers.
2. Differentiating between roles of full time and seasonal employees – whether or not role-based access is being used, temporary employees should only have access to those systems that are required to perform their job function. Supplying blanket access based on full time employees’ roles can introduce unnecessary risk.
3. Employing a combination of detective and preventive controls – detective controls like identity management and access provisioning provide a clear access profile that defines who has access to what. This should be combined with preventive controls such as data loss prevention (DLP) and security information and event management (SIEM) solutions to protect critical data stores and verify that workers’ activity aligns with their job function and standard employee activities. Accessing systems and data remotely or at unusual hours could signal suspicious intent.
4. Disabling access immediately once an employee leaves – ensure that employees are immediately de-provisioned when the employment period ends, leaving no gap between their official departure and the time when access is shut off. This prevents vulnerabilities due to “zombie” accounts – those that remain active and accessible to former employees.
5. Disabling all access inside and outside the organisation – shutting off network access is not enough when disabling departing employee access. The growing number of applications hosted in the cloud requires the IT manager to disable access to accounts at each system level, both on the network and in the cloud.