Businesses with a high volume of employee turnover need an efficient onboarding and offboarding system to handle the legal requirements of the process, and this can be one of the biggest challenges to a large business. For this reason, industries like hotels, insurance companies, and convenience stores can rush or overlook the security aspects of the turnover process because they handle more staff changes.

In our research on this topic, we found several guides on the matter, including those by CSO and Total Networks. However, most of them focus on Human Resources (HR) procedures and ignore a lot of Information Technology (IT) security measures. For this reason, we brainstormed our own ideas to create an extensive summary of best security practices in the context of employee turnover. This blog will focus on IT management along with some aspects of the HR department. It is primarily intended for, but not limited to, high-turnover businesses where employees authenticate to on-premises devices through some company software. The hotel industry fits this criteria well, and will be our setting as we walk through security practices in a real-life context.

Managing Devices

The first step for securing a high-turnover business is to keep track of its devices by implementing a system that reduces the likelihood that they are lost, stolen, or tampered with.

1. Exclusively use on-premises devices. This means employees should not have any work laptops or mobile devices, there should be no BYOD (Bring Your Own Device) to work, and there is no ability to work from home. This reduces the probability of employees installing malicious software, scripts, and/or backdoors on unmonitored devices that they can bring onto the company network. It also removes the need for remote access to on-premises devices.

2. Disallow any remote access. Remote access software, such as TeamViewer, would allow an employee to log into an on-premises device remotely. This is dangerous not only because it opens up the device to any remote attacker, but it gives the opportunity for malicious employees to control devices from anywhere. For example, a disgruntled employee could subtly install TeamViewer or similar software onto one of the front desk computers at a hotel concierge, and then access the computer remotely and cause damage even after leaving the company.

3. Harden on-premises devices. All on-premises devices, such as PMS (property management systems), POS (point of sale) systems, manager terminals, etc., should be securely hardened as much as possible. This would involve implementing general computer hardening steps, e.g., Windows Group Policy, and consistent security updates. This would not, however, replace recurring security audits by a company or third-party specialist, which we would strongly recommend to any business.

4. Maintain authentication devices. The company should retrieve all of an employee’s keys, keycards, key fobs, etc., upon the employee leaving the company, regardless of termination versus resignation. This should also include any 2FA (two-factor authentication) devices as a defense-in-depth practice.

Managing Accounts and Credentials

Mismanagement of accounts and credentials is one of the most common ways an attacker can infiltrate a system. Large companies with high turnover, especially, need a clearly defined and secure protocol for handling credentials during the turnover process.

1. Implement least privilege. Least privilege means employees should have the least amount of access to devices and software that they need to do their job. This principle becomes increasingly difficult with a larger number of employees, but can make or break a business depending on how it’s implemented.

1.1. Ensure employees have correct permissions. In the context of a hotel, employees should only be able to access the computers, interfaces, and files that pertain to their particular job function. For example, a front desk employee should not be able to use his or her credentials to log into the manager’s computer.

1.2. Restrict removable media. If the industry does not require removable media, restricting them is a good idea in order to avoid malicious entities from inserting dangerous data onto company computers or exfiltrating data. Assuming hotel computers have the normal drives and ports, this involves disabling DVD+RW and USB ports (some companies even physically obstruct their devices’ USB ports with port locks or epoxy). This will effectively reduce the attack surface of the system without introducing any new features.

2. Do not share credentials between users. Sharing credentials between employees may seem advantageous as it reduces the amount of account information a business needs to manage; however, in a high-turnover environment, it will create more problems than it avoids. For example, if hotel front desk workers all use a set of credentials dedicated to each terminal, the separation of one worker from the company requires resetting all the terminals’ credentials. This creates issues depending on the hotel’s turnover procedure. If there is a delay between when an employee leaves and when the credentials are reset, the ex-employee would retain access to the system for some time. On the other hand, if credentials are reset as soon as an employee leaves, but there is a delay until new credentials are set, then the other employees won’t be able to access the computers for some time.

Another consideration is non-repudiation (the assurance that someone cannot deny something). If an employee commits a malicious act on a company computer, it will be more difficult to pinpoint the employee if they all share common user accounts.

2.1. Implement single sign-on. Single sign-on assigns each user a unique set of credentials to access all the applications in a system. This is an effective technique in a high-turnover environment because management can simply deactivate a specific employee’s account if they leave the company, preserving the other employees’ credentials.

2.2. Secure software licenses. Large businesses with high turnover should take precaution when distributing license keys because employees may copy them down and keep them. Malicious use of a license key could include leaking it publicly, distributing it to a competitor, or using it for personal use. A site license using a license server may work better in these environments as it may eliminate individual license keys altogether.

3. Deactivate emails and other accounts. This is an obvious recommendation, but it is easy to concentrate on high-profile accounts (e.g., property management systems) while overlooking smaller ones. Companies with high turnover, especially, should have a sound protocol for deactivating all an ex-employee’s accounts promptly after separation. As discussed above in section 2.1, single sign-on offers a better way to handle this problem.

4. Terminate any existing sessions. This follows the idea that you can lock someone out, but you need them to exit first. Depending on how sessions are handled on company computers, it’s possible that an employee’s session is preserved even after separation, which increases the possibility of a malicious ex-employee retrieving a session. One example is stateless web session management such as JSON web tokens, where administrators can lock out an account but do not necessarily have a way to “log out” a user. This means simply changing a past employee’s credentials would not be sufficient, and the account may be accessible until the session expires. It should be noted that this problem is amplified if user credentials are shared.