July 20, 2015 By Douglas Bonderud 3 min read

Relationships end. In some cases, it’s a mutual decision; in others, one party decides things simply aren’t working and decides it’s time to part ways. Companies go through this time and time again with employees. But as noted by SecurityWeek, reporting on recent Centrify survey data, more than half of IT leaders believe it’s easy for ex-employees to access sensitive data with old usernames and passwords. Breaking up is hard enough — how do companies ensure total separation?

Keeping Track of Sensitive Data Security

According to Osterman Research, 89 percent of employees keep their login and password information after they leave, and 45 percent claimed they could still access sensitive or very sensitive information with these old credentials. The data from Centrify’s “State of the Corporate Perimeter Survey” offers an explanation: While employees are typically “off-boarded” the day of their departure and physical items like keys, keycards and corporate-issued mobile devices are returned, virtual access permissions are often overlooked. As a result, it can take up to a week for login/password combinations to become invalid.

This opens up two possible threat vectors. First is malicious ex-employees looking to steal company secrets or delete sensitive data. If the circumstances of their departure aren’t favorable, they may use IT oversight to wreak havoc on business networks or take intellectual property along with them to their next job. In most cases, however, employees mean no harm but instead realize they’ve forgotten a critical file or contact information and use their lingering access permissions to get what they need and then log out.

The problem? Depending on what information they access and when, this could pose a compliance and information access challenge if companies ever encounter legal issues. If they can’t account for all users and permissions on their network, the results could be hefty fines or protracted litigation.

Share and Share Alike

There’s another issue when it comes to accessing sensitive data, however: current employees. The Centrify survey found that 59 percent of employees at U.S. firms have shared their access credentials with unvetted employees, and 52 percent have done the same with outside contractors.

The sheer number of approved employees with privileged access is also a concern. In U.K. firms with more than 500 employees, 10 percent of users had access to sensitive data. For those under 500 employees, the number jumps to 50 percent of users. It’s not hard to imagine a scenario where well-meaning employees share access data with other users who subsequently leave the company and then use still-valid credentials to access critical information.

Bottom line? Companies aren’t doing enough to curtail access permissions when ex-employees walk out the door. Solving this problem comes in two parts: First, it’s a good idea to schedule an exit interview with every departing employee where all types of access — physical and digital — are revoked and employees are given the chance to express any concerns or voice any recommendations about their experience.

In addition, IT must be brought into the loop — not just for password and login management, but to inform increased monitoring efforts after an employee departure. Are old logins being used or existing credentials being leveraged by employees at multiple locations simultaneously, suggesting that sharing may have taken place? It’s also a good idea to periodically shake the access tree and see what falls out since most users don’t need access to sensitive data unless they’re working on specific projects or need time-sensitive resources.

Breaking up isn’t easy, but it’s always better when both parties don’t leave anything behind. For companies, this means improved vigilance and due diligence when it comes to revoking credentials and monitoring access when employees become exes.

More from

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

How I got started: AI security researcher

4 min read - For the enterprise, there’s no escape from deploying AI in some form. Careers focused on AI are proliferating, but one you may not be familiar with is AI security researcher. These AI specialists are cybersecurity professionals who focus on the unique vulnerabilities and threats that arise from the use of AI and machine learning (ML) systems. Their responsibilities vary, but key roles include identifying and analyzing potential security flaws in AI models and developing and testing methods malicious actors could…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today