Does the Great Resignation Mean Resigning to Less Cybersecurity?

The pandemic demonstrated how organizations quickly adapted to remote working. In what the media has dubbed “the Great Resignation,” workers also quickly adapted, so much so that they see remote working as a new opportunity rather than a temporary emergency. In a recent LinkedIn poll, half of the respondents cited flexibility in work location rather than pay as the primary job consideration post-COVID-19, ahead of work-life balance, health coverage, and workforce coverage. 

According to Mimecast Director of Labs & Threat Intelligence Francis Gaffney, “The COVID-19 pandemic provided many employees more flexibility, quality family time, and more crucially, demonstrated that the traditional office environment is not necessary for high and continued productivity.” 

Consequently, if employers do not continue to offer remote options, workers are increasingly more inclined to resign and go elsewhere. Hence, “the Great Resignation.” What are the implications for cybersecurity to organizations that want workers to return to the office, even if it means higher staff turnovers?

Gaffney advises organizational leadership to acknowledge and address the new issues and challenges resulting from the pandemic and remote working that risk significant staff turnover. “’Train people so they can leave, treat people so they don’t’ is an oft-cited maxim that holds true, and is particularly true as it applies to cybersecurity. Investing in staff invests in their loyalty to an organization and its customers,” Gaffney says. 

Treating people well is critical to maintaining a stable workforce. Post-pandemic, organizations that want workers back in the office are considering offering hybrid working arrangements to accommodate employees who wish to continue work from home two or three days and work in-office the remaining days. For certain employees with specialized skills and/or of high value to the organization, it might be preferable to offer remote working rather than risk losing them. The flip side, of course, is that offering fully remote positions to certain employees but not others could also lead to losing people who feel underappreciated or unfairly treated if they aren’t offered the same arrangements. 

Prepare for Potential Threats of High Staff Turnover

Those organizations that believe business reasons warrant a full return to office must prepare for higher than usual staff turnover. From a cybersecurity perspective, Gaffney points out that employee departures can represent a high and prolonged threat vector if managed incorrectly. This could include the additional cost of training the replacement and accepting there will be a period of time before they “get up to speed” with the new organization’s policies, processes, and practices (i.e., networks, hardware, and bespoke software) which could be exploited by a malicious threat actor.

“Place those departing to a competitor organization on ‘gardening leave’ upon submission and acceptance of their resignation,” Gaffney advises. “This means restricting system access only to functions essential to the job function. Most importantly, remove access to sensitive information and intellectual property. This includes access to physical assets as well as network systems.”

Organizations transitioning to a full return to office are particularly vulnerable to disgruntled employees about to leave employment who feel unfairly treated. In a phased return to office, fewer people are in the office day-to-day, meaning less supervision of people coming in and out of office spaces, particularly secure areas. During the pandemic, organizations focused on improving cybersecurity for external threats to networks and services connecting to remote workers. Frequently, this came at the expense of cybersecurity against internal threats.

“With fewer people in the office, an office that hasn’t properly secured and regulated access to physical and network access is at greater risk of insider threats,” Gaffney says. “Disaffected employees might be tempted to retaliate against the company with a malicious attack. In some cases, a competitor offers a financial incentive to facilitate access to sensitive information. Or, and in an increasingly concerning method of attack, the insider identifies a network access vulnerability to a third-party hacker.”

Transition Confusion Increases Vulnerabilities

Furthermore, the transition from remote working back to the office, and particularly hybrid working arrangements, is fraught with cybersecurity vulnerabilities. “The transition can be confusing, with employees uncertain of who is in the office and who isn’t. If the company hasn’t developed a specific plan for return to the office besides ‘bring your laptop back’ by a certain date serves to further add to this potential confusion. Employees who are distracted are particularly vulnerable to phishing and impersonation attacks that compromise company systems.”

Organizations need to spell out exactly what departments and personnel are back in the office and what protocols to follow to ensure network integrity. In addition, regular reminders of the potential for fake URLs and other impersonation attempts are always a good practice, though particularly so in transitioning back to in-office work. 

Train People Even If They Leave

Pivoting off of Gaffney’s earlier remark to “train people so they can leave,” cybersecurity awareness training is crucial, especially for organizations in transition. Keep in mind that many attacks prey upon user confusion and distractions, which increased during the pandemic and continues during post-pandemic transitions.

Indeed, avoidable human error accounts for 90% of all cybersecurity breaches. Regardless of where employees work, and for how long employees continue to work for an organization, an effective security strategy is one that helps employees make good choices and avoid common traps that unwittingly compromise your networks and business continuity.

Equally important, of course, are cost-effective security controls that detect attacks before they even reach your people. Combining both user education to make employees more aware and cautious of cyber threats with leading technologies and best practices to protect against compromise, Mimecast helps your organization adapt to an ever-evolving threat landscape.

The Bottom Line

In today’s high-threat reality, cybersecurity must be top of mind for any organization, but particularly for organizations transitioning to in-office and/or hybrid work arrangement to anticipate a Great Resignation among their workforce. Gaffney strongly urges a “zero trust” approach.

“Assume compromise is always possible,” he says. “While most employees are responsible and professional and unlikely to act maliciously when they leave the company, they represent prime targets for malicious actors during times of transition and uncertainty. Educational programs are paramount to increase awareness and reduce risk of phishing, impersonation, and other email-based vulnerability attacks. Finally, in attempting to combat / mitigate any intrusion, the best form of cyber defense is the employment of a multi-layered, tested, and defense-in-depth model.”