Why ex-employees may be your company's biggest cyberthreat
Some 20% of organizations say they have experienced data breaches by ex-employees. Here's how IT leaders can protect their business.
By Alison DeNisco | August 2, 2017, 4:00 AM PST
While news of ransomware and DDoS attacks constantly make headlines, another major cybersecurity threat lurks at nearly every company: Ex-employees.
In a recent survey of 500 IT decision makers from security firm OneLogin, only about half of respondents said they were "very confident" that former employees could no longer access corporate applications. And 20% of organizations surveyed said they had experienced data breaches by ex-employees.
Further, 48% of organizations said they are aware that former employees still have access to corporate network. Half of IT leaders said that ex-employee's accounts remain active once they have left the company for longer than a day, 32% said it takes a week, and 20% said it takes a month or more. Another 25% said they don't know how long accounts remain active once the employee has left the company.
"Removing ex-employees' access to systems is a critical step to mitigate risks of future data breaches or other security incidents," said Forrester analyst Merritt Maxim. "It's just good security hygiene."
Ex-employees are increasingly a cybersecurity risk, Maxim noted: In June, Dutch web host Verelox experienced a major outage of all of its services after most of its servers were deleted by an ex-employee, according to the company. And in April, the US-based Allegro Microsystems sued an ex-IT administrator for allegedly installing malware that deleted critical financial data.
So why don't companies take away this access immediately? For one, the process can be time consuming: 70% of IT decision makers surveyed said it can take up to an hour to deprovision all of a single former employee's corporate application accounts.
For another, IT and HR do not often work together, said Al Sargent, senior director at OneLogin. "This is a problem, because HR has the single source of truth for which employees are at the company and which are not, whereas IT controls access to the applications," he added. "They often haven't joined up their user directories to make this a streamlined process."
A typical company has dozens of applications that they are aware of in use, and hundreds more that they may not know about due to shadow IT, Sargent said. "You can't deprovision somebody from an app you don't know about—therein lies another issue," he added. "IT will try to deprovision all employees from all apps, but things inevitably slip through the cracks."
In many cases, access may not be permanently removed immediately: Often, organizations will suspend the accounts, as information on that individual's access may still be required for audit or compliance reporting, Maxim said. At some point in future, the account will be permanently removed.
The danger applies as much to those who leave a company voluntarily as those who are terminated, Maxim said. While these users might be less likely to take malicious action against a former employer, they might have the same username and password combination for another account, he added. And if that account is compromised, hackers might try to use that combination at the ex-employee's job, especially if it is a corporate email address.
Companies should consider creating a defined service-level-agreement (SLA) that defines how quickly access must be removed after an employee leaves a company, Maxim recommends. In many cases, this should be 48 to 72 hours. Companies can then collect data to verify that such access is being removed under the terms of the SLA.
This also means establishing clear processes and policies for how managers initiate the process for removing access, how the security team removes access, and how internal auditors can test and verify that access was removed appropriately.
Most former employees do not have malicious intentions, Sargent said. "Most understand that there are laws, and there will be consequences if they do access a former employer's system," Sargent said. "Despite this, there are a few bad apples. It takes just one of them to cause a problem."