cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Goodbye tech workers, hello cyber criminals: How the tech worker exodus is straining cyber security

As the Great Resignation reaches our shores, access control set-ups will receive significant stress testing. Jim Cook from Attivo Networks explores.

user iconJim Cook
Mon, 13 Dec 2021
Goodbye tech workers, hello cyber criminals: How the tech worker exodus is straining cyber security
expand image

Tech workers are tipped to participate in the Great Resignation in larger numbers than other industries. An October survey suggested 72 per cent of tech workers are thinking of quitting their jobs in the next year.

Many put in long hours in the first two years of the pandemic, and only now have time to pause and reconsider what they want out of work. Also, in the favour of a mass movement of tech workers is that they are in considerable demand worldwide.

Some organisations won’t have to imagine what life would be like without nearly three-quarters of their workforce. These organisations will experience it first-hand, along with the associated functional, financial and operational repercussions.


And so, in the next year or so, we’ll potentially experience a significant change in business operations.

A large staff exodus or mass shift of this type brings with it an increased level of risk for employers. In particular, on- and off-boarding processes will come under considerable strain to operate at scale.

Consider this likely scenario. A mid-sized Australian company with 700 staff has weathered the ups and downs of COVID lockdowns and is looking forward to a more predictable future. Everyone turns up to work after a decent break over summer to discover that half of their IT team wants to resign and out they walk along with half of the IT knowledge which hasn’t been properly documented. Suddenly the scramble is on to find new people, while plugging the leaking knowledge.

The new IT admin team starts. They hunt through the company SharePoint to find out what job types need access to what systems. They find a hastily written document by one of the recent leavers and implement access based on the guidelines in the document. Suddenly, the helpdesk queue starts to swell with employees complaining that they can’t access the applications they need. In an effort to work around the problem the admin team applies a very permissive policy, and the helpdesk queue empties.

Problem solved! Or is it?

Resourceful attackers will be able to exploit this sort of short-term chaos to their advantage: crafting ransomware and phishing campaigns that take advantage of internal confusion over a high number of comings-and-goings; or finding ways to exploit accounts or privileges of those that have left the organisation in order to force entry, establish persistence or escalate an attack.

Australian organisations should take this opportunity to review off-boarding and onboarding processes and the hygiene of identity stores and directory service support systems – such as Active Directory – to mitigate against the risks posed by the Great Resignation. Ensure documentation is up to date.

Remove accounts instead of disabling them

Currently, when employees leave organisations, it is common for businesses to disable their corporate accounts rather than remove them, since it does not preclude them returning in some capacity in the future. If the employee returns, the account and its privileges and system access can be reinstated quickly.

There are security risks inherent in this approach. It is common practice for an attacker to search for disabled accounts of former senior personnel, sysadmins or developers. The attacker can then re-enable the account and use the dormant privileges it contains.

For an organisation, this can be hard to detect or stop, since the attacker isn’t creating something new or using an exploit. Traditional security tools won’t typically flag the activity as suspicious unless these are specifically tuned to look for the re-enablement of disabled accounts.

A mass exodus of staff could feasibly result in many disabled accounts that contain privileges that attackers can use.

In our view, organisations should conduct searches for existing unused or orphaned accounts or groups and remove these to reduce the attack surface. Organisations should also change internal policies to delete rather than disable accounts when people leave.

Clean up privileges

When a new employee joins an organisation, they are often reassigned privileges from an existing user or co-worker. This approach is unlikely to scale and can increase risks for newly established roles during a Great Resignation event.

Organisations should take this opportunity to move to role-based access control (RBAC). Under this approach, organisations define a set of roles and assign privileges to each. Staff are then assigned to a role, which governs what they can and can’t see, access and do from an internal system perspective.

For each role, organisations should be reviewing the actual privileges assigned and making sure these are minimal and granularly defined. That is, organisations should adopt a principle of “least privilege” and apply it to almost all internal users.

The less privileges you have and individually assign, the smaller the potential for privilege abuse. As a rule of thumb, there should be no more than three to five privileged users people with individually assigned, high-level administrative privileges in any environment, even within larger organisations.

Most directories, modern applications and cloud applications support RBAC and principles of least privilege.

The methods, principles and processes of how the privileges are assigned in the enterprise on-premises and in the cloud should be reviewed and assessed for policy drift, ideally before organisations have a deluge of people coming and going.

One approach to reducing the number of existing privileges is to examine access logs for privileges that haven’t been used for a long time. There are also new and automated tools that can help find overprovisioning and identify when entitlements are not used or truly needed.

To reduce the attack surface, you will want to remove these. This is particularly useful in cloud environments where the number of entitlements is exponentially greater than what is typically seen in an on-premises environment. It is also a good practice to set up a feedback loop so if someone suddenly needs access using a disabled privilege, it can be reinstated.

Other concerns

The potential for employees to leave an organisation with data in their possession is a known problem, but when large numbers of people are coming and going, the problem of not knowing who has access to what data is amplified and the risks multiplied.

So, in addition to privileges, organisations should make sure that assets assigned to departing employees are revoked and that departure processes include asking employees to return or delete all organisational assets including copies of data.

In addition, with a lot of new employees potentially arriving, they will require some time to get comfortable in their new environment and to ramp up to full productivity. It is important that these staff undergo appropriate security onboarding and security awareness training. Organisations should also consider how they can scale these onboarding processes.

Jim Cook is the ANZ regional director at Attivo Networks.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.