+1-202-802-9399 (US)

Thycotic’s Cyber Security Publication

New Hire Onboarding Checklist: A CISO’s Perspective

March 12th, 2019


Your New Hire Onboarding Checklist

When a new employee enters an organization there are various behind-the-scene activities that must take place to ensure the new hire an efficient onboarding experience. Many are administrative in nature and are taken care of by HR.

But then there are those related to cyber security—and they are far too often overlooked.

As a security leader, my job is to make sure the proper security controls are implemented before and during the onboarding process. These controls are critical to the integrity of your organization’s cyber security posture, and as such they deserve priority in the IT onboarding process.

Hackers say that the fastest way to breach a company’s security controls is through an employee

Knowing what we do about cyber-crime today, there should be no employee onboarding plan that does not include a pre-orientation IT onboarding checklist. This is where the IT department prepares in advance for the new employee’s introduction to the network.

This is not an exhaustive list, but you get the idea. If any of these questions are not answered during the onboarding process, improper access could be granted.  It is important for Human Resources, Security and IT to work together to create a repeatable, auditable and automated process to ensure accuracy.  If the new employee will work in a key function that requires access to sensitive or privileged accounts, it is even more vital that this process be monitored.

Identity and Privileged Access Management both offer workflows to manage the onboarding process and life cycle of these accounts.  Well defined workflows coupled with regular account access reviews can help you identify, prevent and mitigate cyber security issues that arise from over permissioned employees, terminated employees, employees that have moved departments, and can also identify segregation of duty policy violations.

Why is this important? In 2016, the VP of Information Technology for the Alberta Motor Association defrauded the company of $8.2 million over a three-year period. He was the only individual with authority to approve payments, so he would submit fraudulent invoices and then approve them. That is a segregation of duty violation.  This should have been caught during an access review. This is just one example of how improper onboarding can cost a company millions.

Let orientation begin—securely

99% of hackers say tactics like phishing are still effective

With the pre-orientation IT onboarding checklist taken care of, orientation can begin. Depending on your organization the current process may take hours or days. My recommendation would be to allocate at least a day to the process because a robust employee-onboarding program must include a well delivered Cyber Security Awareness Training Program.

One thing that new employee may be bringing into your organization is poor cyber security practices.  Your training program should not be “Death by PowerPoint” but be engaging, informative and ongoing.

50% of employees haven’t changed their social network passwords for a year or more

The failure statistics around employee cyber hygiene are unnerving. Cyber security awareness training for employees is critical, and it must start on their first day in the workplace. Orientation not only provides the new hire with an opportunity to familiarize themselves with your network and cyber security best practices, it also affords you a chance to assess them as a cyber security risk. Criminal hackers target everyone from an intern to a CEO with equal success. So cyber security is everybody’s responsibility, and this point should be emphasized on day one.

JOIN OUR MAILING LIST

Get updates, free resources and in-depth how-to's

SHARE THIS


The following two tabs change content below.
mm

Terence Jackson

With more than 17 years of public and private sector IT and Security experience, Terence is responsible for protecting the company’s information assets. In his role, he currently leads a corporate-wide information risk management program. He identifies, evaluates and reports on information security practices, controls, and risks in order to comply with regulatory requirements and to align with the risk posture of the enterprise.
mm

Latest posts by Terence Jackson (see all)


Leave a Reply

*