In an ideal world, when an employee leaves an organization, he or she returns their laptop and any other equipment, and all of their accounts are smoothly removed or disabled. Unfortunately, that’s not the case in the real world. Disgruntled employees will often retain company equipment, and organizations frequently fail to disable all of a user’s accounts. The reality is that a single account left in place can result in untold chaos, destruction, and financial loss—particularly if the former employee was unhappy or had access to sensitive corporate data.
Ex-Employee Accounts Responsible for Significant Number of Breaches
A recent study by OneLogin found that over 50% of ex-Employees still have access to corporate applications. This failure to deprovision employees when they leave resulted in a data breach at 20% of the companies represented in the survey.
That’s a very significant number of serious security incidents. It’s clear that many, perhaps most businesses simply aren’t doing enough to guard against security threats brought on by ex-employees.
Many Former Employees Still Have Access
According to the study, nearly half of the survey’s respondents are aware of former employees who still have access to corporate applications, with 50 percent of IT decision-makers ex-employee’s accounts remaining active once they have left the company for longer than a day. A quarter of respondents take more than a week to deprovision a former employee, and another 25% don’t know how long accounts remain active once the employee has left the company.
In addition to Active Directory, Google, and Salesforce accounts, it’s common for employees to have up to 10 accounts in various cloud services such as payroll, timesheet, travel, workflow and project management functions. Cloud based accounts can be a particular challenge because it’s much easier for ex-employees to access them. In most cases, all that’s needed is web access.
Minimizing the Risk
How can organizations minimize the risk? One approach is to rely on a single, gated access control system such as a single sign-on system so administrators can easily deactivate the front-end access to all, or at least most accounts. This level of centralized authentication makes it easier to shut most accounts off. Unfortunately, it’s not always easy to force all accounts through a central authentication system. It seems there are always rouge or unknown systems that creep into the organization and bypass the controls.
Adding user and entity behavior analytics (UEBA) will help organizations detect when something got missed and ex-employee accounts are being used. For example, if an old account is suddenly used, a good UEBA system will detect the anomaly and raise an alert.
Here’s a few other things an organization can do:
- Act quickly. Too often, it’s a few days before anybody tells IT that the employee is gone – which is exactly the time during which an individual is most motivated to grab anything that might be useful.
- Formally request departing employees identify all of their accounts and login credentials
- Establish policies about the appropriate use of various apps and cloud-based tools, and make sure there’s a procedure to disable all accounts when employees leave the organization.
- Understand the ramifications of external sites and rogue applications and how they increase corporate risk on a variety of levels.
- When possible, provide good file sharing, cloud storage, Webmail and other alternatives that will enable employees to do their work and keep their data on company controlled equipment.
- In larger organizations, it’s wise to put in place a process that regularly audits all of these procedures.
With correct policies and procedures in place, a centralized authentication system to govern most accounts, and a UEBA tool to detect when something is missed, organizations will be reasonably protected from the very real and common problems associated with employee termination.