New Employee Onboarding: A Hacker’s Dream
How does your organization onboard a new employee?
I’m not talking about the distribution of the corporate booklet that brags about the socially responsible stance the company takes in the community, and that includes a few photos of last year’s outdoors company potluck where bags of Cheetos found themselves outnumbered by potato salads. No, the type of onboarding I’m talking about ranges, among other key-security elements, from the verification of the new hire’s identity for USCIS compliance purposes to the new employee’s first login and corporate password reset. Are you fully aware of all the risks you’re running if this process isn’t bulletproof? And what does bulletproof really mean in this case?
Regarding employee onboarding, there is the stone age and the digital age. Let’s discard the stone age and look at how it’s handled in the digital age.
Employee Onboarding in the digital age: a true identity security nightmare
Let’s assume your organization just hired a new Marketing Manager named Damian. Your headquarters are located in Boston but because of the COVID-19 pandemic, you’ve decided to go officeless and allow employees to work from anywhere in the United States. That’s optimal for Damian who lives in Boulder, Colorado, and really didn’t want to move to the East Coast. Therefore, Damian needs to be onboarded remotely.
- Issue #1: how do you know you’re actually dealing with the real Damian?
Damian must share government-issued documents as well as his banking information with HR. Human Resources use Damian’s passport or a combination of his driver’s license and his Social Security card to fill out the mandatory USCIS Form I-9 that verifies his employment eligibility in the United States. Damian either scans and then emails the documents or faxes them directly.
- Issue #2: Damian’s identity can be stolen as it travels unencrypted over the Internet.
- Issue #3: His identity can be compromised if the fax isn’t picked up immediately by the HR rep in charge or if the document is left unattended on some desk.
The next step consists of HR creating an Active Directory entry for Damian. Once the simple process completed, Damian receives an email from his employer on his personal email account. The email includes his new corporate email address and a link to reset his password.
- Issue #4: Anyone who has already compromised Damian’s personal email account can reset his corporate password.
Damian clicks on the link to reset his password. He logs in with his corporate username and changes the password. Naturally, he needs to remember a complex password, since it’s company policy against cyber-attacks: a combination of uppercase and lowercase letters, numbers and special symbols that should be at least 12 characters long. Every sixty days, he’ll have to change it.
- Issue #5: The password is complex, so Damian writes it down on a sticky note for anyone who comes to his house to see.
- Issue #6: Damian’s password is stored in a central database that offers a single point of failure.
From the comfort of his home, Damian uses his username and complex password to access the company’s systems and applications by connecting through his home wireless network, even though he was expressly told earlier to use his employer’s VPN solution.
- Issue #7: Damian’s home network is insecure.
Last but not least, it’s now Damian’s second day on the job and he receives an email from the company’s CEO alerting him of a security breach. In the message, the CEO prompts him to click on a link that opens a secure page on the company’s Intranet, where he’s asked to enter his current username and password, before changing password. Damian instantly thinks, “Here we go, that was one sticky note for nothing!”
- Issue #8: Damian was just victim of a phishing attack. Alright, let’s admit he’s not that smart
Employee Onboarding the right way
There is indeed a right way to onboard employees, so their identity and credentials can never be compromised. Here is the process:
- Step #1: Damian receives an email on his personal account prompting him to scan a QR code with his smartphone to install a passwordless solution. The message also says that once the installation complete, he needs to scan the same QR code but this time with the passwordless application. Time required: 2 minutes.
- Step #2: Damian opens the app and is asked to perform a liveness test, which is an advanced, unspoofable form of biometrics. Then he’s asked to enroll his driver’s license by scanning the front and the back of the document. The proper governmental database is queried, so the license can be verified instantly. Then, he’s prompted to enroll his passport. He scans the ID page. The document is instantly verified with the proper authority. The photos on both documents are matched with the results of his liveness test. Time required: 10 minutes, if he has to go downstairs look for his driver’s license and open a couple of drawers to find his passport.
- Step #3: Damian accesses his employer’s HR portal and scans the QR code displayed on the web page with his passwordless app. He receives a push notification on his smartphone, asking him whether he consents to share the following information with his employer’s HR portal: first name, last name, date of birth and physical address. He taps on “Consent.” The data is transferred to the HR system. The data he just shared is now displayed on the HR portal’s refreshed page along with photos of the driver’s license and passport he scanned earlier. Time required: 1 minute.
- Step #4: Damian can now access his employer’s systems and applications by scanning a QR code to unlock his workstation prior to authenticating with his biometrics, thanks to his passwordless application. Time required: 10 seconds.
Damian is onboarded securely, passwords are eliminated. And his personal data is stored encrypted in the blockchain, which is immune to data breaches.
Now, does Damian really exist?
I know you’re dying to know whether Damian is real. A few years ago, I was hired on the same day as a “Damian.” We were both onboarded in the digital age. And I was the lucky one, because it was not my identity that got stolen in the process. Two weeks after the infamous onboarding, Damian received electronic confirmation of loans he’d never contracted and ownership of a brand-new car he’d never bought. Onboarding the right way… or bust!