July 20, 2015 By Douglas Bonderud 3 min read

Relationships end. In some cases, it’s a mutual decision; in others, one party decides things simply aren’t working and decides it’s time to part ways. Companies go through this time and time again with employees. But as noted by SecurityWeek, reporting on recent Centrify survey data, more than half of IT leaders believe it’s easy for ex-employees to access sensitive data with old usernames and passwords. Breaking up is hard enough — how do companies ensure total separation?

Keeping Track of Sensitive Data Security

According to Osterman Research, 89 percent of employees keep their login and password information after they leave, and 45 percent claimed they could still access sensitive or very sensitive information with these old credentials. The data from Centrify’s “State of the Corporate Perimeter Survey” offers an explanation: While employees are typically “off-boarded” the day of their departure and physical items like keys, keycards and corporate-issued mobile devices are returned, virtual access permissions are often overlooked. As a result, it can take up to a week for login/password combinations to become invalid.

This opens up two possible threat vectors. First is malicious ex-employees looking to steal company secrets or delete sensitive data. If the circumstances of their departure aren’t favorable, they may use IT oversight to wreak havoc on business networks or take intellectual property along with them to their next job. In most cases, however, employees mean no harm but instead realize they’ve forgotten a critical file or contact information and use their lingering access permissions to get what they need and then log out.

The problem? Depending on what information they access and when, this could pose a compliance and information access challenge if companies ever encounter legal issues. If they can’t account for all users and permissions on their network, the results could be hefty fines or protracted litigation.

Share and Share Alike

There’s another issue when it comes to accessing sensitive data, however: current employees. The Centrify survey found that 59 percent of employees at U.S. firms have shared their access credentials with unvetted employees, and 52 percent have done the same with outside contractors.

The sheer number of approved employees with privileged access is also a concern. In U.K. firms with more than 500 employees, 10 percent of users had access to sensitive data. For those under 500 employees, the number jumps to 50 percent of users. It’s not hard to imagine a scenario where well-meaning employees share access data with other users who subsequently leave the company and then use still-valid credentials to access critical information.

Bottom line? Companies aren’t doing enough to curtail access permissions when ex-employees walk out the door. Solving this problem comes in two parts: First, it’s a good idea to schedule an exit interview with every departing employee where all types of access — physical and digital — are revoked and employees are given the chance to express any concerns or voice any recommendations about their experience.

In addition, IT must be brought into the loop — not just for password and login management, but to inform increased monitoring efforts after an employee departure. Are old logins being used or existing credentials being leveraged by employees at multiple locations simultaneously, suggesting that sharing may have taken place? It’s also a good idea to periodically shake the access tree and see what falls out since most users don’t need access to sensitive data unless they’re working on specific projects or need time-sensitive resources.

Breaking up isn’t easy, but it’s always better when both parties don’t leave anything behind. For companies, this means improved vigilance and due diligence when it comes to revoking credentials and monitoring access when employees become exes.

More from

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today