In recent months, much has been written about the cybersecurity implications of remote work, which is at the top of most MSP’s to-do list this year. There is one topic, however, that hasn’t been discussed as much, but requires thoughtful consideration and planning: what to do when you suddenly lose a team member due to illness or another unforeseen circumstance.
Shutting down an employee’s electronic footprint at a company after they pass away is important, and the cybersecurity consequences can be tricky if not done correctly.
It’s one thing for an employee to quit or to be fired. In those instances, there is often a set process, often involving both human resources and IT, to secure the perimeter so that a vacancy isn’t a vector for hackers to launch an attack.
“Having an employee pass away can complicate matters,” said Frank Martin, a cybersecurity specialist in Denver. “Some companies have policies and procedures in place, but they aren’t always followed, and it’s just an area no one wants to talk about.”
Who wants to be in charge of shutting down the account of a beloved co-worker? Especially at a small or mid-sized company, losing a co-worker this way can be an emotionally charged issue that ripples throughout the organization.
A very real cybersecurity concern
ThreatPost recently highlighted the dangers caused by accounts held by the deceased that suddenly go dark but are not closed per protocol.
“A Nefilim ransomware attack that locked up more than 100 systems stemmed from the compromise of an unmonitored account belonging to an employee who had died three months previously, researchers said.
In the case described, the employee’s email account was hacked and the attackers moved laterally through the company.
“When an employee passes away, people are prone to tiptoe around the cybersecurity implications,” Martin observes. He adds that if the passing was sudden, there might be a hesitancy to “touch” the person’s email account out of either sadness, respect, or simply not wanting to acknowledge what happened.
“MSPs are in an especially awkward position because sometimes the news of someone’s untimely passing isn’t passed on from their customer, and they’ll just assume an account is still operable and active,” Martin points out, and that makes the account a potential target for bad actors.
Sometimes the news of someone’s passing isn’t shared and those responsible for closing an email just assume an account is still operable. That makes the account a potential target for #cyberattacks.
How can an MSP eliminate these vulnerabilities?
The first thing, Martin says, securing an account begins before someone passes away.
PUT A POLICY IN PLACE – NOW: When someone leaves a company, there is a set of protocols and policies that are activated. A security perimeter is put around the persons’ accounts, their email boxes are deactivated, and their digital life at the company wound down. The best thing to do, Martin advises, is to have a policy worked out with a client ahead of time as to what should be done in the event of the passing of an employee.
“Pre-planning allows us to focus on policy and not grief. That is why people make wills, pre-pay for funerals, and the like,” Martin adds.
There should also be a set of procedures in place so that the MSP can preserve the legacy of the employee and disseminate their documents (if necessary) without compromising cybersecurity.
PREPARE AN ELECTRONIC AUDIT: An employee’s digital footprint goes beyond an email account. They may have access to a company’s social media, internal message boards, purchasing privileges, check-writing privileges, and on and on. All of these are potential points for a bad actor to exploit if left open and unguarded.
An employee’s digital footprint goes beyond an email account. They may have access to other logins and privileges. These are potential points for a bad actor to exploit if left open and unguarded. #CyberSecurity
INVOLVE THE MSP: For a tight-knit office, the process of packing up an employee’s digital life can be an emotional one. An MSP can approach the job clinically following best practices and protocols. A family member may need to be contacted so that any company-owned electronic devices, keys, or proprietary paperwork can be retrieved. Some devices may have to be wiped remotely.
All of this can be difficult for former colleagues to handle, which is why an MSP is generally in a better position. But the best advice of all is to formulate a plan beforehand. Doing so will allow grieving while still protecting the company, and that maybe one of the best legacies to leave.
Photo: Michal Plachy / Shutterstock