A recent Kaspersky study on the behavior of small and medium businesses during crises shows staff reductions may cause additional cybersecurity risks. Yet only 51% of organizations’ leaders are confident that their ex-employees don’t have access to company data stored in cloud services, and just 53% are sure that former workers can’t use corporate accounts.
While according to studies team retention was the top priority for almost half of organizations throughout the pandemic, many businesses still might have to resort to job cuts in order to reduce costs during hard times. Kaspersky surveyed more than 1.300 business leaders in small and medium-sized organizations to learn what tactics they chose to keep their business afloat, and what cybersecurity risks anti-crisis measures could bring.
Given that almost half of the respondents couldn’t confidently claim that their ex-employees didn’t have access to their company’s digital assets, reductions in staffing may put the safety of data and company livelihood at additional risk.
Ex-employees’ misuse of data in new jobs or to drum up business for themselves were major concerns for bosses. The survey results suggest that most business leaders are worried that former employees will share the company’s internal data with new employers (63%) or use corporate data such as previous client databases, to launch their own business (60%). Overall, 31% of respondents consider reductions in employment as a possible measure to cut costs in case of a crisis.
Other popular cost-cutting steps include a decrease in spending for advertising and promotion (36%) and vehicles (34%). Cybersecurity, on the other hand, appeared not to be an area of the business where leaders would prefer to save budget.
“Unauthorized access can become a huge problem for any business, affecting the competitiveness of a company when corporate data is transferred to a competitor, sold off, or deleted,” explains Alexey Vovk, Head of Information Security at Kaspersky.
“This problem becomes more complicated when employees actively use non-corporate or ‘shadow IT’ services which are not deployed or controlled by corporate IT departments. If the usage of these services is not managed after an employee is dismissed, there is little chance that access to information shared via these applications will be shut off for a former worker,” adds Vovk.
To make sure that uncontrolled accesses and shadow IT won’t affect your company’s efficiency and security, Kaspersky recommends the following steps:
- Keep control of the number of people with access to crucial corporate data, reducing the amount of data available to all employees. Breaches are more likely to occur in organizations where too many employees work with confidential valuable information that can be sold or somehow used.
- Set up a policy for access to corporate assets, including email boxes, shared folders, and online documents. Keep it up to date and remove access if an employee leaves the company. Use cloud access security broker software that helps manage and monitor employee activity within cloud services and enforces security policies;
- Make regular backups of essential data to ensure corporate information stays safe in case of emergency;
- Provide clear guidelines on the usage of external services and resources. Employees should know which tools they should or shouldn’t use and why. When switching to any new software for work, there should be a clear procedure of approval with IT and other responsible roles;
- Encourage employees to have strong passwords for all digital services they use and to change passwords regularly;
- Regularly remind staff about the importance of following basic cybersecurity rules relating to safe account and password management, email security, and web browsing. A comprehensive training program will allow your workers not only gain the necessary knowledge but also to apply it in practice;
- Employ dedicated cybersecurity services which provide visibility over cloud services, such as Kaspersky Endpoint Security Cloud.