July 20, 2015 By Douglas Bonderud 3 min read

Relationships end. In some cases, it’s a mutual decision; in others, one party decides things simply aren’t working and decides it’s time to part ways. Companies go through this time and time again with employees. But as noted by SecurityWeek, reporting on recent Centrify survey data, more than half of IT leaders believe it’s easy for ex-employees to access sensitive data with old usernames and passwords. Breaking up is hard enough — how do companies ensure total separation?

Keeping Track of Sensitive Data Security

According to Osterman Research, 89 percent of employees keep their login and password information after they leave, and 45 percent claimed they could still access sensitive or very sensitive information with these old credentials. The data from Centrify’s “State of the Corporate Perimeter Survey” offers an explanation: While employees are typically “off-boarded” the day of their departure and physical items like keys, keycards and corporate-issued mobile devices are returned, virtual access permissions are often overlooked. As a result, it can take up to a week for login/password combinations to become invalid.

This opens up two possible threat vectors. First is malicious ex-employees looking to steal company secrets or delete sensitive data. If the circumstances of their departure aren’t favorable, they may use IT oversight to wreak havoc on business networks or take intellectual property along with them to their next job. In most cases, however, employees mean no harm but instead realize they’ve forgotten a critical file or contact information and use their lingering access permissions to get what they need and then log out.

The problem? Depending on what information they access and when, this could pose a compliance and information access challenge if companies ever encounter legal issues. If they can’t account for all users and permissions on their network, the results could be hefty fines or protracted litigation.

Share and Share Alike

There’s another issue when it comes to accessing sensitive data, however: current employees. The Centrify survey found that 59 percent of employees at U.S. firms have shared their access credentials with unvetted employees, and 52 percent have done the same with outside contractors.

The sheer number of approved employees with privileged access is also a concern. In U.K. firms with more than 500 employees, 10 percent of users had access to sensitive data. For those under 500 employees, the number jumps to 50 percent of users. It’s not hard to imagine a scenario where well-meaning employees share access data with other users who subsequently leave the company and then use still-valid credentials to access critical information.

Bottom line? Companies aren’t doing enough to curtail access permissions when ex-employees walk out the door. Solving this problem comes in two parts: First, it’s a good idea to schedule an exit interview with every departing employee where all types of access — physical and digital — are revoked and employees are given the chance to express any concerns or voice any recommendations about their experience.

In addition, IT must be brought into the loop — not just for password and login management, but to inform increased monitoring efforts after an employee departure. Are old logins being used or existing credentials being leveraged by employees at multiple locations simultaneously, suggesting that sharing may have taken place? It’s also a good idea to periodically shake the access tree and see what falls out since most users don’t need access to sensitive data unless they’re working on specific projects or need time-sensitive resources.

Breaking up isn’t easy, but it’s always better when both parties don’t leave anything behind. For companies, this means improved vigilance and due diligence when it comes to revoking credentials and monitoring access when employees become exes.

More from

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication.Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future success…

Brands are changing cybersecurity strategies due to AI threats

3 min read -  Over the past 18 months, AI has changed how we do many things in our work and professional lives — from helping us write emails to affecting how we approach cybersecurity. A recent Voice of SecOps 2024 study found that AI was a huge reason for many shifts in cybersecurity over the past 12 months. Interestingly, AI was both the cause of new issues as well as quickly becoming a common solution for those very same challenges.The study was conducted…

39% of MSPs report major setbacks when adapting to advanced security technologies

4 min read - SOPHOS, a leading global provider of managed security solutions, has recently released its annual MSP Perspectives report for 2024. This most recent report provides insights from 350 different managed service providers (MSPs) across the United States, United Kingdom, Germany and Australia on modern cybersecurity tools solutions. It also documents newly discovered risks and challenges in the industry.Among the many findings of this most recent report, one of the most concerning trends is the difficulties MSPs face when adapting their service…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today