July 20, 2015 By Douglas Bonderud 3 min read

Relationships end. In some cases, it’s a mutual decision; in others, one party decides things simply aren’t working and decides it’s time to part ways. Companies go through this time and time again with employees. But as noted by SecurityWeek, reporting on recent Centrify survey data, more than half of IT leaders believe it’s easy for ex-employees to access sensitive data with old usernames and passwords. Breaking up is hard enough — how do companies ensure total separation?

Keeping Track of Sensitive Data Security

According to Osterman Research, 89 percent of employees keep their login and password information after they leave, and 45 percent claimed they could still access sensitive or very sensitive information with these old credentials. The data from Centrify’s “State of the Corporate Perimeter Survey” offers an explanation: While employees are typically “off-boarded” the day of their departure and physical items like keys, keycards and corporate-issued mobile devices are returned, virtual access permissions are often overlooked. As a result, it can take up to a week for login/password combinations to become invalid.

This opens up two possible threat vectors. First is malicious ex-employees looking to steal company secrets or delete sensitive data. If the circumstances of their departure aren’t favorable, they may use IT oversight to wreak havoc on business networks or take intellectual property along with them to their next job. In most cases, however, employees mean no harm but instead realize they’ve forgotten a critical file or contact information and use their lingering access permissions to get what they need and then log out.

The problem? Depending on what information they access and when, this could pose a compliance and information access challenge if companies ever encounter legal issues. If they can’t account for all users and permissions on their network, the results could be hefty fines or protracted litigation.

Share and Share Alike

There’s another issue when it comes to accessing sensitive data, however: current employees. The Centrify survey found that 59 percent of employees at U.S. firms have shared their access credentials with unvetted employees, and 52 percent have done the same with outside contractors.

The sheer number of approved employees with privileged access is also a concern. In U.K. firms with more than 500 employees, 10 percent of users had access to sensitive data. For those under 500 employees, the number jumps to 50 percent of users. It’s not hard to imagine a scenario where well-meaning employees share access data with other users who subsequently leave the company and then use still-valid credentials to access critical information.

Bottom line? Companies aren’t doing enough to curtail access permissions when ex-employees walk out the door. Solving this problem comes in two parts: First, it’s a good idea to schedule an exit interview with every departing employee where all types of access — physical and digital — are revoked and employees are given the chance to express any concerns or voice any recommendations about their experience.

In addition, IT must be brought into the loop — not just for password and login management, but to inform increased monitoring efforts after an employee departure. Are old logins being used or existing credentials being leveraged by employees at multiple locations simultaneously, suggesting that sharing may have taken place? It’s also a good idea to periodically shake the access tree and see what falls out since most users don’t need access to sensitive data unless they’re working on specific projects or need time-sensitive resources.

Breaking up isn’t easy, but it’s always better when both parties don’t leave anything behind. For companies, this means improved vigilance and due diligence when it comes to revoking credentials and monitoring access when employees become exes.

More from

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

Trends: Hardware gets AI updates in 2024

4 min read - The surge in artificial intelligence (AI) usage over the past two and a half years has dramatically changed not only software but hardware as well. As AI usage continues to evolve, PC makers have found in AI an opportunity to improve end-user devices by offering AI-specific hardware and marketing them as "AI PCs."Pre-AI hardware, adapted for AIA few years ago, AI often depended on hardware that was not explicitly designed for AI. One example is graphics processors. Nvidia Graphics Processing…

Cybersecurity Awareness Month: Cybersecurity awareness for developers

3 min read - It's the 21st annual Cybersecurity Awareness Month, and we’re covering many different angles to help organizations manage their cybersecurity challenges. In this mini-series of articles, we’re focusing on specific job roles outside of cybersecurity and how their teams approach security.For developers, cybersecurity has historically been a love-hate issue. The common school of thought is that coders are frustrated with having to tailor their work to fit within cybersecurity rules. However, many companies are embracing a security-first approach, and some developers…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today