As we approach the busiest shopping months of the year, many retailers will look to hire additional staff on short-term contracts to allow for the anticipated customer demand. In fact, a cursory search on one of the UK’s top job sites indeed.co.uk shows no less than 5,000 “Christmas” jobs advertised in London alone.
This is pretty standard practice around the holiday season, but while the extra help is much needed, retailers may also open themselves up to data loss or leakage if they don’t put proper procedures in place.
Security incidents are becoming more frequent, with the British Retail Consortium citing that nearly 80% of UK retailers had seen a jump in cyber attacks since 2018. It would be naïve for companies to think that this holiday shopping period will remain incident-free.
The reality is that if a business isn’t managing temporary workers’ access rights to its systems and data from their first day on the premises to last time they step out the door, then these employees can significantly increase the risk of a security incident.
Risks posed by seasonal employees
Large retailers have hundreds, if not thousands, of user accounts on their networks with varying levels of privilege – referring to the minimum access rights required to do a given job role. Many organisations struggle to properly manage that access across their user base, including seasonal workers. In fact globally, only 15% of organisations are confident in their access control programmes according to a recent study.
Unfortunately, it’s an all-too-common mistake for retailers to grant too many access rights to a temporary employee – mainly in the interest of time – and even worse, fail to manage that access over the user’s life cycle. For example, if a cybercriminal were to gain access to a temporary user account that has unlimited privilege within a network, they can pivot to virtually any system within the business and cause widespread damage.
Additionally, if user access isn’t revoked immediately upon the employee parting ways with the company, it can pose an equally significant cyber risk. Without proper governance over these accounts, temporary workers are free to roam the company’s most sensitive systems, take data with them, and even access those systems and data after they’ve left.
Luckily there are some tried-and-trusted security practices retailers can do to reduce the risk posed by seasonal workers:
Always apply the rule of least privilege
A key process for retailers to have in place is the principle of least privilege, meaning that any given employee has access only to information that is necessary to carry out their daily jobs.
For retailers, following this rule isn’t only essential, but it’s also relatively simple because most seasonal workers typically don’t require much privilege. By granting employees the minimum access they need to do their jobs, retailers can minimise the risk of a temporary employee tampering with information they shouldn’t have had access to in the first place.
Provide security awareness training as standard
To make seasonal hires more conscious of their actions, employers should provide their temporary staff with introductory security awareness training.
Security training can help reduce the chance of human error by educating seasonal employees on company security policies, insider threat risks, tell-tale signs of common hacker techniques targeting retailers during the holiday season and more. Importantly, this can also help with accountability, so users won’t be able to play the “I didn’t know about this” card.
Immediately de-provision user accounts
Properly provisioning new users with the access they need is important to ensure fast productivity; however, it’s just as important for retailers to de-provision – i.e., revoke access for – an employee immediately after they’ve ceased employment. IT administrators who neglect to de-provision a user after they’ve left the organisation can leave the account open for criminals to target, or the user to continue to access.
By properly managing and monitoring the full user life cycle of seasonal employees, retailers can better position themselves to avoid a breach that could hinder their company’s success during the most critical shopping season of the year and beyond.
Todd Peterson, security evangelist at One Identity
