EMPLOYEE ONBOARDING – LAYING THE FOUNDATION FOR A SECURE WORKFORCE
Oftentimes, a company-wide shift in policy can seem a daunting task. Many of the people we speak to discuss their desire to promote cybersecurity and to meet newly-discovered regulatory obligations. “But,” they ask, “where do I begin? My staff have been doing things the same way for 40 years. How am I supposed to change that?” We agree: turning a ship, no matter the size, takes time and planning. So, it makes sense that the place to start the turn is right at the beginning: employee onboarding.
Before taking the helm, Chief Compliance Officers should understand that the SEC is laser-focused in this area having made “Access Rights and Controls” one of the six key areas discussed in the 2015 Cybersecurity Exam Initiative via specific document request items and the following statement:
Firms may be particularly at risk of a data breach from a failure to implement basic controls to prevent unauthorized access to systems or information, such as multifactor authentication or updating access rights based on personnel or system changes.
We would not be surprised to eventually see specific examiner document requests and related questions like, “How do you manage access rights and personnel changes?” or “Can we see documentation of your employee onboarding, change, and termination policies?”
Your employee onboarding checklist already likely includes the standard details for an employee joining your team. You are familiar with the I9s, W4s, Payroll Forms, Emergency Contact sheets, etc. Take some time now to consider your firm’s data security and cyber security policies. To ease you into the process we’ve laid out five points that every firm should consider as it modernizes it procedures.
- Understand Data Classification & Segregation – We have written separately about data classification and segregation for cybersecurity, but your onboarding plan is where these practices really come into their own. Taking the time to segregate your data by functional groups allows you to limit access to sensitive data. By understanding your data hierarchy you can implement in your onboarding policy a simple “check-the-box” approach to data access. A new employee will typically only need access to specific data areas that are dictated by their role within the firm and the needs of their manager(s). When you segment your data, write down the functional areas on a check list. When a new employee starts, you (or the responsible manager) can pull out the data requirements sheet, and tick off the areas to which their new hire will need to have access. This is especially important in a post-breach environment, as a quick review of an employee who lost their credentials, or their laptop, will turn up exactly what that employee had access to, and starting when.
Take Away: Developing a Data Segregation Plan will help secure your information. By properly tracking access to segregated areas from onboarding, your Firm will understand its risks and obligations in the event of a security failure.
- Training – Training is listed as one of the key elements in almost all of the guidance that has been released by regulators pertaining to Cybersecurity. Over and over we have heard the mantra that your data is only as secure as the person who is accessing it. Cybersecurity training from the outset is critical to maintaining information security. Your new hire should have a solid grasp of your policies and procedures with respect to cybersecurity. Training on Username and Password Security, Mobile Device Management, Loss/Theft procedures, Reporting and Escalation procedures, and any other pertinent information should be drilled into a system user from the very outset of their employment. Those individuals who have access to Personal Identifying Information (PII) of customers, or Intellectual Property, should be given additional training surrounding their responsibilities to protect such information. Most importantly, employees should be training from the outset that they aren’t alone in the cybersecurity battle. Let them know who they can turn to if they suspect that something is amiss or if they have any questions at all regarding their role with respect to cybersecurity. Take the opportunity from the outset to inform your users of how they can help keep your firm’s information secure. An informed and aware user base may be able to spot an issue long before it percolates to the surface. Enlist your new hire’s support from the first day.
Take Away: Training your employees from the first day in essential cybersecurity expectations is the only way that you can increase your firm’s overall cybersecurity readiness posture. Training must include reporting and escalation procedures.
- Include the Tech Team – Involving the right people in the process at the right time can never be underestimated. Take the time now to include members of your tech team, be they in-house or outsourced. Learn about their infrastructure and polices for bringing a new person on board. If your process today starts and ends with an email to the system administrator saying “Joe is Starting on the 19th”, it’s time to build out something a little more robust. Your IT Team can inform you of the capabilities it has with respect to information security and its task list with respect to employee onboarding. Be sure to work with your IT department to formalize their onboarding procedures and incorporate them into your onboarding workflow. Items such as Password Setting, VPN Access, Mobile Device setup, and other technical issues should all be included in a formalized manner. When a new employee starts, these steps should be followed and documented. The specific access levels granted to individuals should be recorded and secured for review in the future, if necessary. In addition, take the time now to learn your IT department’s capabilities with respect to lost devices or data shutoff. While not directly applicable to employee onboarding, having a keen understanding of the tools available within your company can make a big difference in a data security emergency.
Take Away: Your IT Team is the most tangible link to cybersecurity within your business. Take the time to get their feedback in the development of onboarding checklists.
- Periodic Review – The documentation you create surrounding your employee onboarding should have a built-in review mechanism. On an as-needed basis, typically at a role change or at least annually, we would recommend reviewing all of the onboarding documentation your created, especially with respect to data access. Employees have a habit of collecting data as their time with your company grows longer and longer. Perhaps they worked on a special project that they needed HR access. If that project is done, the employee should no longer have access to those folders that they don’t need. Simply put: if they don’t have it, they can’t lose it. This is not an issue of trust with employees, by any means, merely one of limiting risk. Your IT staff should be able to help you by printing out an audit log of which files each individual has access to within your organization. This can be cross referenced with the “approved list” that you developed at onboarding. In addition, this task does not need to fall to you alone. At larger firms we typically see responsibility for data ownership delegated to department heads. Review of the department’s data and access rights belongs to that data owner.
Take Away: Onboarding is the time to develop good data segregation, but that cannot be the end of it. Review the items and areas covered during onboarding on a regular basis
- Business Continuity Issues – Ensure that as part of your employee onboarding procedure that you are considering that employee’s roles and responsibilities with respect to Business Continuity and Disaster Recovery. If necessary, be sure to amend the BCP/DR plan to include your new hire’s information and responsibilities.
Take Away: Don’t forget BCP/DR considerations in your new employee onboarding policy.
These five points alone won’t make for a robust onboarding procedure, but they may help you get started. We also caution that employee onboarding is only one piece in HR/Cybersecurity puzzle. Review, as mentioned above, is essential, and role changes that lead to data or security changes within your firm should follow a similar checklist as the one we described above. You should review your initial onboarding checklist and the permissions granted. Revoke the permissions necessary, and add the new ones in order to facilitate the transfer. Finally, the onboarding and change lists should all be reviewed when an employee leaves a firm. A separate checklist should be used that contains “shutdown procedures” to ensure that you close the doors behind the departing employee. Employee moves are always a hectic time. Lay the groundwork today with thoughtful checklists and you will lower your cybersecurity risk. Just don’t forget to run your current employees through your new checklists!