According to Courion, poor or inadequate access controls for seasonal employees can lead to significant financial and brand damage for organisations and their customers.
This was seen in the recent case of the temporary AT&T worker who stole the social security numbers of 2100 co-workers and took out loans totalling more than $70 000 in their names, Courion said.
In addition, a similar problem affected customers of the Bank of New York after a temporary worker siphoned off a million dollars from unsuspecting customers by setting up dummy bank accounts.
The potential problem, Courion said, is a major one, as a recent CareerBuilder survey found that nearly one in five companies plan to hire temporary employees during the current (fourth) quarter to meet the Christmas rush and provide cover. And, researchers found that 25% of these employers will add more than 50 temporary workers.
Because of this, Courion sait it is imperative that companies apply and enforce stringent access assurance policies across all three phases of the employment period - i.e. the time of hire, duration of employment, and contract completion - and so help ensure the protection of confidential company and customer information.
Ironically, the security assurance company noted, many enterprises do not have dedicated security policies and controls for temporary workers, due to IT staff capacity limitations or the misguided belief that short-term workers `don't have enough time' to be dangerous.
Against this backdrop, Courion recommends that enterprises address this gaping hole in their security armour by adopting its `five golden rules' for access assurance:
Clearly defining temporary roles - at the time of hire, it is important to immediately define access for temporary employees to company resources based on each worker's specific job function. This is an efficient and secure way to enable - and later easily disable - access for temporary workers, particularly for organisations hiring in large numbers.
Differentiating between roles of full time and seasonal employees
Whether or not role-based access is being used, temporary employees should only have access to those systems that are required to perform their job function. Supplying blanket access based on full time employees roles can introduce unnecessary risk.
Employing a combination of detective and preventive controls
Detective controls like identity management and access provisioning provide a clear access profile that defines who has access to what.
This should be combined with preventive controls such as data loss prevention and security information and event management solutions to protect critical data stores and verify that workers' activity aligns with their job function and standard employee activities. Accessing systems and data remotely or at unusual hours could signal suspicious intent.
Disabling access immediately once an employee leaves
Employers should ensure that employees are immediately de-provisioned when the employment period ends, leaving no gap between their official departure and the time when access is shut off. This prevents vulnerabilities due to `zombie; accounts - those that remain active and accessible to former employees.
Disabling all access inside and outside the organisation
Shutting off network access is not enough when disabling departing employees' access. The growing number of applications hosted in the cloud requires the IT manager to disable access to accounts at each system level, both on the network and in the cloud.