Relationships end. In some cases, it’s a mutual decision; in others, one party decides things simply aren’t working and decides it’s time to part ways. Companies go through this time and time again with employees. But as noted by SecurityWeek, reporting on recent Centrify survey data, more than half of IT leaders believe it’s easy for ex-employees to access sensitive data with old usernames and passwords. Breaking up is hard enough — how do companies ensure total separation?
Keeping Track of Sensitive Data Security
According to Osterman Research, 89 percent of employees keep their login and password information after they leave, and 45 percent claimed they could still access sensitive or very sensitive information with these old credentials. The data from Centrify’s “State of the Corporate Perimeter Survey” offers an explanation: While employees are typically “off-boarded” the day of their departure and physical items like keys, keycards and corporate-issued mobile devices are returned, virtual access permissions are often overlooked. As a result, it can take up to a week for login/password combinations to become invalid.
This opens up two possible threat vectors. First is malicious ex-employees looking to steal company secrets or delete sensitive data. If the circumstances of their departure aren’t favorable, they may use IT oversight to wreak havoc on business networks or take intellectual property along with them to their next job. In most cases, however, employees mean no harm but instead realize they’ve forgotten a critical file or contact information and use their lingering access permissions to get what they need and then log out.
The problem? Depending on what information they access and when, this could pose a compliance and information access challenge if companies ever encounter legal issues. If they can’t account for all users and permissions on their network, the results could be hefty fines or protracted litigation.
Share and Share Alike
There’s another issue when it comes to accessing sensitive data, however: current employees. The Centrify survey found that 59 percent of employees at U.S. firms have shared their access credentials with unvetted employees, and 52 percent have done the same with outside contractors.
The sheer number of approved employees with privileged access is also a concern. In U.K. firms with more than 500 employees, 10 percent of users had access to sensitive data. For those under 500 employees, the number jumps to 50 percent of users. It’s not hard to imagine a scenario where well-meaning employees share access data with other users who subsequently leave the company and then use still-valid credentials to access critical information.
Bottom line? Companies aren’t doing enough to curtail access permissions when ex-employees walk out the door. Solving this problem comes in two parts: First, it’s a good idea to schedule an exit interview with every departing employee where all types of access — physical and digital — are revoked and employees are given the chance to express any concerns or voice any recommendations about their experience.
In addition, IT must be brought into the loop — not just for password and login management, but to inform increased monitoring efforts after an employee departure. Are old logins being used or existing credentials being leveraged by employees at multiple locations simultaneously, suggesting that sharing may have taken place? It’s also a good idea to periodically shake the access tree and see what falls out since most users don’t need access to sensitive data unless they’re working on specific projects or need time-sensitive resources.
Breaking up isn’t easy, but it’s always better when both parties don’t leave anything behind. For companies, this means improved vigilance and due diligence when it comes to revoking credentials and monitoring access when employees become exes.