So, a member of your security team just quit… what’s next? It’s not an unlikely occurrence when the Great Resignation seems to be knocking on every industry’s front door. According to the Bureau of Labor Statistics and an article by SHRM, “An average of more than 3.95 million workers quit their jobs each month, meaning 2021 holds the highest average on record.” Specifically within the IT industry, cybersecurity professionals are resigning in masses.
Some consider this an outcome of the Great Resignation; others know it’s been a long time coming. The cybersecurity skills gap continues to grow. As a result, employees that have continued in their positions are facing more hours, work and more burnout. An article on ZDNet chronicles the struggles the industry is facing. They write “According to the study, which surveyed over 500 cybersecurity professionals, 57% say a shortage of cybersecurity skills has impacted the organization they work for, while just over 10% report a significant impact.”
What can a CISO do in the face of such an overwhelming industry crisis? You can’t force your employees to stay on, but you can be prepared when they choose to leave. Losing a member of your team is bound to have an impact. You can expect that it will alter the workload of your other employees, as well as your team dynamics and priorities. With cybersecurity and IT employees already stretched thin, you need to consider how to get the work done without burning out your other team members. You should also consider how an employee quitting might affect the overall security profile of your business.
It’s nice to believe that your employees and former employees would never breach your trust or your company data, but sometimes that is not the case. In order to keep your business information secure, you need to have some sort of plan in place in the face of a change in your team structure. The three best things you can do (aside from preparing for the idea of resignation in the first place) are to disable, discover, and detect.
The first step you need to make when a member of your security team quits is to make sure the user’s primary method of authentication is disabled, along with any MFA mechanisms and remote access. Change every built-in domain or enterprise administrator account. If the user had access to firewalls/network devices, ensure that built-in administrative accounts are changed. Depending on the scope and sensitivity of the user’s employment, consider adding mac address blocks from any issued equipment until a time that comes when it has been returned and wiped.
To ensure that perimeter access is disabled, it is important to review VPN account lists, particularly if the user had access to change permissions while they were employed. Aside from any primary login, look for unusual accounts, especially any created up to three months prior to the employee leaving. If using a PAM mechanism to log administrative activity, review logs for any sessions that look unusual. This could be file transfers and changes to Active Directory permissions such as Domain Admin group membership and group policy. Ensure that all accounts in Enterprise / Domain Admin groups are properly accounted for and tied to existing active employees that are authorized. If possible, use tools to scan the entire environment and report/validate privilege entitlements of both local and domain groups. Don’t forget to examine the accounts and permissions of external identity providers (e.g. ensure there are no anomalous users in Azure AD with the Global Administrators role).
Monitor all privileged activity across domain and infrastructure. If possible, correlate that privileged access is coming through legitimate access control mechanisms. Specifically look for password changes of domain/enterprise administrative accounts, and group/role changes resulting in account privilege elevation.
Having to reconfigure your security team, while understanding the above considerations, can be extremely stressful – especially in a job that already has its own stressors. Sometimes putting measures in place can only do so much and you have to monitor for security issues after an employee resigns. No matter what, you should always do your best to stay organized and prepared. These are best practices that should be followed at all times, regardless of a security team member leaving the company. Utilize these three things as a sort of checklist and build it into your business processes and plans.
Image licensed by pexels.com