Often, when a dealership employee resigns or is terminated, the process of off-boarding the employee is left to someone in human resources and/or the employee’s manager. Unfortunately, in many instances, coordination with the IT team is not a priority. Not coordinating the off-boarding of an employee with the IT team opens your dealership to a potential security incident.
When Helion takes on a new client, we generally find that the dealership has active user accounts for people that no longer work for the dealership. This means that the ex-employee still has access to the dealership’s network, systems, and data. This also means – from a security threat standpoint – that the ex-employee is still an “insider.”
According to a 2020 Verizon Data Breach Investigation Report three of the top five causes of security breaches were related to an insider threat. A recent Insider Threat Report found that 68% of survey respondents said that insider attacks are becoming more frequent. Having ex-employees with insider privileges increases an organization’s attack surface and must be avoided. To mitigate the threat of an insider attack it is essential that IT play an integral role when off-boarding an employee.
In addition to the security hazards that an ex-employee can present to your dealership, it is also possible that a current employee may not have your dealership’s best interests in mind. The current cybersecurity thinking is that the safest approach to dealing with insider threats is to assume a zero-trust posture and take proactive measures to protect your business.
There are two essential best practices to have in place to mitigate, prevent and protect against insider threats. These best practices apply to both current employees and former employees that may still have access to your dealership’s network.
Access Control – Implement directory service technology such as Microsoft Active Directory. This technology enables IT administrators to manage permissions and control access to network resources. Active Directory is an indispensable mechanism for determining which network resources a user can access. Use of Active Directory makes it possible to automate the process of restricting user access to all of your dealerships network resources when off-boarding an employee.
Continuous Monitoring – Using technology like SIEM, you can continuously collect data from a variety of sources and scan for suspicious activity that may indicate a potential cybersecurity incident in the making. This includes things like user logins from ex-employees or seemingly unrelated events such as the insertion of a USB thumb drive, use of personal email services and excessive printing. These are all indications of a possible data exfiltration threat.
Protecting your dealership from an insider threat requires that IT play a primary role in off-boarding an employee so that access to the dealership’s network, software, and data is promptly halted. Additionally, assuming a zero-trust approach to cyber-defense, implementing access control technology like Microsoft’s Active Directory and continuously monitoring user network activity will mitigate the risk of falling victim to an insider with malicious intent.