The pandemic hit the U.S. economy and millions lost jobs. While infection rates for COVID-19 are declining in some places, the pandemic is ongoing, with experts warning of a second wave.
Prior to COVID-19, companies had modest levels of remote employees and policies to facilitate onboarding and offboarding. Now, if a company lays off workers, it has to track their connections to data and which devices they used to access it in order to collect devices.
Depending on the number of employees laid off, some companies are prevented from retrieving devices.
"You're highlighting a situation where the COVID[-19] scenario puts a spotlight on a problem already," Steve Stover, VP at SolarWinds, told CIO Dive. Businesses need a structured, scalable and complete offboarding process to handle recovering devices and credentials, "which many companies just don't have."
In January, the unemployment rate in the U.S. was 3.6%. By April, several months into the coronavirus pandemic, the unemployment rate reached 14.7%. Businesses, hard-hit industries including travel, entertainment and retail industries, will likely keep their workforce lean — even if that requires laying off furloughed employees.
Layoffs require coordination across business units. HR, accounting and IT systems all intersect when workers are laid off. Collaboration efforts in companies is usually done with a spreadsheet "and it doesn't work out great," especially in a predominantly remote workforce, said Stover.
What about the data trail
Physical devices are only part of the recovery process; credentials and data further complicate layoffs. Companies can cut off access to corporate networks to protect data, but it's not a foolproof practice.
"As an employee, you're in a really uncomfortable situation where, legally, you're probably bound to get that data back, which means that your personal stuff is impacted" too, Robb Reck, CISO of Ping Identity, told CIO Dive.
IT has to answer several questions when administering and recovering devices or logins:
What employees were on the system
What did the employee do
What data could employees see
What level of access did the employee have
What devices did they use to access sensitive systems
How many sets of credentials did the employee have
When a CISO has the appropriate answers to these questions, they can proceed with the offboarding process. "When I kill that access from that person's user ID and they leave the company, I don't have to worry about anything they might have downloaded to a non-company laptop," said Reck.
Single sign-on (SSO) solutions give users one username and associated password while Microsoft Active Directory (AD), for example, grants access across resources. When an employee is terminated, all the access they held goes away. For the company, access management is centrally located.
But if a company instead relies on administrator-type solutions, they're likely not using SSO. Those exceptions create greater liability because turning off credentials and the main AD won't eliminate risk.
Companies have moderate cases of extraneous login risks in places that don't use SSO. Those places need identification before an employee is terminated. "Otherwise, for months or years after an employee leaves, the company will think that they've taken them out of the system, but they really haven't," said Reck.
While SSO is convenient, privileged access management elevates restrictions on more critical systems based on individual roles. Companies with privilege access management solutions have a better chance at implementing controls, protecting data, and establishing an audit trail to monitor certain sessions, Chad Carter, VP of North American Sales at WALLIX, told CIO Dive.
Devices get a clean slate
Remote work was the norm long before COVID-19 for Reltio CISO Terence Runge and his workforce. The company already used a bring your own device policy where employees bought their computers and were reimbursed accordingly.
If an employee is terminated and decide to buy their company-owned device, Runge's team has to validate the device has been "cleaned" of company information. "We do a visual inspection. We literally gain remote access to the device and we'll review the different directories, make sure there's nothing there," he told CIO Dive. Runge's employees buys their devices when onboarded and are reimbursed.
Depending on the employee, security privileges through applications bleed into privacy protections for a company, and its customers. "Being able to control that is almost as important as being able to see it and audit it," said Carter.
Applications typically lack a granular level of control, further stressing security fixes implemented to protect against a lack of visibility.
Security teams used to monitor a few dozen applications, and software suites by vendors such as IBM and SAP enabled this kind of management. Now larger enterprises average around 700 software as a service solutions, Rob Gurzeev, former Israeli Intelligence Corps CTO and current CEO and co-founder of CyCognito, told CIO Dive. Each solution has thousands of potential users connected.
If there's a person in the finance team copying text from a SaaS application to a Trello board, "there is no security solution for these kinds of occurrences," said Gurzeev. There are costly solutions that monitor file transfer, not web browsing.
Employees reliant on CRM applications could access the app from their mobile device. "You're used to exporting data so you can take a look at it differently, [but] that's now company data on your phone," said Stover. "All of the policies in the world don't fix that problem."
Sixty-five percent of companies allow employees' personal devices to access corporate apps and systems, according to data from Bitglass. Of those companies, less than one-fifth have data loss prevention controls established.
With the exception of highly regulated fields requiring the destruction of data, existing procedures to retrieve or to not retrieve company-issued devices could remain. Government agencies in particular "never really thought this through to this extreme," said Runge.
Companies are figuring out how to automate more processes because companies that rapidly shifted to remote work had to scale firewall configurations, gateways and internal applications.
"These kinds of projects used to take like six months and now companies have to run these processes within days, because the finance team cannot access these internal finance systems," if the process is botched said Gurzeev.
Running penetration testing is an expensive quarterly or annual process, and when changes are done hastily, companies can accidentally expose critical assets. However, while not all applications are connected to a company's crown jewels, "the username and password is going to be exactly the same or more than the same in all of these applications," said Gurzeev.
Just ship it
Physical offices made retrieval painless — "hand me your badge, hand me your laptop," said Reck.
But a distributed workforce requires more communication and cooperation to recover property but, technically speaking, it's not very challenging, he said. It's a straightforward process of sending out mail-in instructions and tracking a device's return.
As long as the involved business units make it easy for former employees, or employees that need new devices sent to them.
Employees reliant on company-issued cell phones might find some reprieve, in that they can maintain their phone number. The companies that "don't bother" retrieving devices often conclude there's nothing "in the amortization of the value of it," according to Stover.
HR can enter the mix by withholding severance in exchange for company possessions. "Retrieving managed devices from a remote workforce can be convoluted," make it easy on employees by sending them a prepaid shipping label with appropriate packing materials, Anurag Kahol, CTO and co-founder of Bitglass, told CIO Dive.
While it's possible employees could withhold devices, it's atypical. Instead, IT does tend to find "dragging of the feet to the point it looks an awful lot" like they're unwilling to return a device, said Reck.
If a device breaks, leaving employees to rely on their personal computers, resource segmentation can come into play. For most employees, doing their jobs via web access is acceptable.
In other cases, some employees have to wait for a new laptop. CISOs are unlikely to establish a new development environment for developers using personal laptops, for example. That's "outside the realm of what I think is risk appropriate, at least for my company, to do," said Reck.
The cost of losing productivity while waiting on another device's shipment is worth it. Either way, if a developer moves to a new development environment, it takes time and creates more room for security errors.