As the holiday season ramps up, many retailers are unaware that one of the industry’s best practices could put them at risk of a breach: hiring seasonal workers. Last year, retailers hired more than 757,000 temporary employees to keep up with the busy shopping season. And while it may seem like only good can come from the extra help, security incidents prove otherwise. For example, Nordstrom suffered a data breach at the hands of a contracted worker who accessed and improperly handled customer information, leading to a leak of social security numbers, checking accounts and more.
The reality is that if an organization isn't managing temporary workers access to its systems and data from their first to last workdays, these employees can increase the organization’s risk of a security incident.
Why Do Seasonal Workers Pose Such a High Risk?
Large retailers have hundreds if not thousands of user accounts with varying levels of privilege, which refers to the minimum access rights required for a given job. Many organizations struggle to properly manage that access across their user base, including seasonal workers. In fact, only 15 percent of organizations are confident in their access control program.
Unfortunately, it’s an all-too-common mistake for retailers to overgrant access rights to a temporary employee and fail to manage that access over the user’s life cycle. For example, if a bad actor gains access to a temporary user account that has unlimited privilege within a network, they can gain access to virtually any system and cause widespread damage.
Additionally, if user access isn't revoked immediately upon the employee parting ways with the company, it can pose equally significant cyber risk. Without governance over these accounts, temporary workers are free to roam the company’s most sensitive systems, take data with them, and even access those systems and data after they’ve left.
Luckily there are some tried-and-true security practices retailers can employ to reduce their seasonal employee cyber risk:
- Always apply the principle of least privilege. One of the main processes retailers should have in place is the principle of least privilege. For retailers, following this rule isn’t only essential, but relatively simple because most seasonal workers typically don’t require much privilege. By granting employees the minimum access they need to do their jobs, retailers can minimize the risk of a temporary employee tampering with information they shouldn’t have had in the first place.
- Provide security awareness training. To make seasonal hires more accountable for their actions, seasonal employees should go through security awareness training. Security training can help reduce the chance of human error by educating seasonal employees on company security policies, insider threat risks, tell-tale signs of common hacker techniques targeting retailers during the holiday season, and more.
- Provision and *immediately* de-provision user accounts. Properly provisioning new users with the access they need is important to ensure fast productivity; however, it’s just as important for retailers to de-provision – i.e., revoke access for – an employee immediately after they've ceased employment. IT administrators who neglect to de-provision a user after they've left the organization can leave the account open for criminals to target and the user to continue to access.
By properly managing and monitoring the full user life cycle of seasonal employees, retailers can better position themselves to avoid a breach that could hinder their company's success during the most critical shopping season of the year.
Todd Peterson is security evangelist at One Identity, where he manages product marketing for the company's family of identity and access management (IAM) solutions.
Related story: How Brookstone is Fighting Back Against Fraudsters
Todd Peterson manages product marketing for the One Identity family of identity and access management (IAM) solutions. With more than 17 years of experience in security software, Todd has deep expertise developing go-to-market messages for security-, IAM- and compliance-related topics, including his authorship of numerous white papers, tech briefs and articles. s. Within One Identity and among customers, Todd is the “face of IAM” and is highly regarded for both his thought leadership and ability to make complex technical topics easy to understand for sales teams and prospective clients.