New Hire Onboarding Checklist: A CISO’s Perspective
When a new employee enters an organization there are various behind-the-scene activities that must take place to ensure the new hire an efficient onboarding experience. Many are administrative in nature and are taken care of by HR.
But then there are those related to cybersecurity—and they are far too often overlooked.
As a security leader, my job is to make sure the proper security controls are implemented before and during the onboarding process. These controls are critical to the integrity of your organization’s cybersecurity posture, and as such, they deserve priority in the IT onboarding process.
Hackers say that the fastest way to breach a company’s security controls is through an employee
Knowing what we do about cyber crime today, there should be no employee onboarding plan that does not include a pre-orientation IT onboarding checklist. This is where the IT department prepares in advance for the new employee’s introduction to the network.
This is not an exhaustive list, but you get the idea. If any of these questions are not answered during the onboarding process, improper access could be granted. It is important for Human Resources, Security, and IT to work together to create a repeatable, auditable, and automated process to ensure accuracy. If the new employee will work in a key function that requires access to sensitive or privileged accounts, it is even more vital that this process be monitored.
Identity and Privileged Access Management both offer workflows to manage the onboarding process and life cycle of these accounts. Well-defined workflows coupled with regular account access reviews can help you identify, prevent and mitigate cybersecurity issues that arise from over permissioned employees, terminated employees, employees that have moved departments, and can also identify segregation of duty policy violations.
Why is this important? In 2016, the VP of Information Technology for the Alberta Motor Association defrauded the company of $8.2 million over a three-year period. He was the only individual with authority to approve payments, so he would submit fraudulent invoices and then approve them. That is a segregation of duty violation. This should have been caught during an access review. This is just one example of how improper onboarding can cost a company millions.
Let orientation begin—securely
99% of cyber criminals say tactics like phishing are still effective
With the pre-orientation IT onboarding checklist taken care of, orientation can begin. Depending on your organization the current process may take hours or days. My recommendation would be to allocate at least a day to the process because a robust employee-onboarding program must include a well-delivered Cybersecurity Awareness Training Program.
One thing that new employees may be bringing into your organization is poor cybersecurity practices. Your training program should not be “Death by PowerPoint” but be engaging, informative, and ongoing.
50% of employees haven’t changed their social network passwords for a year or more
The failure statistics around employee cyber hygiene are unnerving. Cybersecurity awareness training for employees is critical, and it must start on their first day in the workplace. Orientation not only provides the new hire with an opportunity to familiarize themselves with your network and cybersecurity best practices, but it also affords you a chance to assess them as a cybersecurity risk. Cyber criminals target everyone from an intern to a CEO with equal success. So cybersecurity is everybody’s responsibility, and this point should be emphasized on day one.