A recent Kaspersky study on the behaviour of small and medium businesses during crises shows staff reductions may cause additional cybersecurity risks. Yet only 50% of UK surveyed organisations’ leaders are confident that their ex-employees don’t have access to company data stored in cloud services, and just 48% are sure that former workers can’t use corporate accounts.
Although team retention was the top priority for almost half of organisations throughout the pandemic, many businesses might still have to resort to job cuts in order to reduce costs during hard times. This is also reflected in Kaspersky’s latest study of more than 1.300 business leaders in small and medium-sized organisations, where 30% of British respondents consider reductions in employment as a possible measure to cut costs in case of a crisis.
Given that almost half of respondents couldn’t confidently claim that their ex-employees didn’t have access to their company’s digital assets, reductions in staffing may put the safety of data and company livelihood at additional risks. Ex-employees misusing company data in their new jobs or using it to drum up business for themselves were major concerns for bosses. The survey results suggest that most business leaders are worrying that former employees will share the company's internal data with new employers (50%) or use corporate data such as previous client databases, to launch their own business (44%).
Other popular cost-cutting steps for British SMEs include a decrease in spending for advertising and promotion (35%) reductions in employment/hiring freeze (30%) and more worryingly staff training (24%). Cybersecurity, on the other hand, appears not to be an area of the business where leaders would prefer to save budget.
“Unauthorised access can become a huge problem for any business, affecting the competitiveness of a company when corporate data is transferred to a competitor, sold off, or deleted”- explains Alexey Vovk, Head of Information Security at Kaspersky. “This problem becomes more complicated when employees actively use non-corporate or “shadow IT” services which are not deployed or controlled by corporate IT departments. If the usage of these services is not managed after an employee is dismissed, there is little chance that access to information shared via these applications will be shut off for a former worker”.
To make sure that uncontrolled accesses and shadow IT won’t affect your company’s efficiency and security, Kaspersky recommends the following steps:
- Keep control of the number of people with access to crucial corporate data, reducing the amount of data available to all employees. Breaches are more likely to occur in organizations where too many employees work with confidential valuable information that can be sold or somehow used.
- Set up a policy for access to corporate assets, including email boxes, shared folders, and online documents. Keep it up to date and remove access if an employee leaves the company. Use cloud access security broker software that helps manage and monitor employee activity within cloud services and enforces security policies;
- Make regular backups of essential data to ensure corporate information stays safe in case of emergency;
- Provide clear guidelines on the usage of external services and resources. Employees should know which tools they should or shouldn’t use and why. When switching to any new software for work, there should be a clear procedure of approval with IT and other responsible roles;
- Encourage employees to have strong passwords for all digital services they use and to change passwords regularly;
- Regularly remind staff about the importance of following basic cybersecurity rules relating to safe account and password management, email security, and web browsing. A comprehensive training program will allow your workers not only gain the necessary knowledge but also to apply it in practice;
- Employ dedicated cybersecurity services which provide visibility over cloud services, such as Kaspersky Endpoint Security Cloud.