Ex-staff needlessly retaining digital access puts firms at risk

20 Jul 2017

Image: Africa Studio/Shutterstock

A failure to successfully remove former employees’ access permissions to company applications is exposing many organisations to risk.

An interesting report emerged recently that looked at an area of cyber risk many overlook: employees walking out, while the door remains open.

Successful ‘offboarding’ should see departing employees relinquishing access to corporate applications, datasets and other valuable property.

Unsuccessful offboarding – or ‘deprovisioning’ –  is, essentially, exposing companies to needless risk.

Employees have consistently been ranked as the biggest source of data breaches, whether it be through incompetence, genuine human error or something more malicious.

Big threat

According to an EY report, almost half of executives think employees are the biggest threat to cyber risk in their company, with the vast majority of this risk purely down to education.

The dos and don’ts of company practice, perhaps.

The problem here is, if the same lack of education is enjoyed by people no longer in the organisation, the risk extrapolates significantly.

So, adding ex-employees into that mix seems bizarre. Though not rare, according to a study from OneLogin, with its US investigation finding that around 48pc of those asked were fully aware of ex-employees retaining access to corporate applications.

“The bottom line is that companies aren’t following very basic but essential security measures around employee provisioning and de-provisioning,” said Alvaro Hoyos, chief information security officer at OneLogin.

“This should be a cause for concern among business leaders, especially considering how many data breaches are caused by ex-employees.”

There is a problem

Hoyos added: “That said, at least now we’re at a point where we are acknowledging there is a problem.

“The next step is going to be for IT decision-makers to be proactive about addressing this issue.

“Modern enterprises need technology that can automate the provisioning processes to help companies become more secure, productive and efficient.”

500 IT decision-makers were surveyed by OneLogin for the US report, with 25pc saying it takes them more than one week to fully detach former employees from company procedures.

The same percentage said they didn’t know how long accounts remain active after employees leave the company.

Meanwhile, even more professionals were surveyed in the UK, with half of the respondents not using any automated technology to disable employees’ access upon contract termination.

“Our study suggests that many businesses are burying their heads in the sand when it comes to this basic, but significant, threat to valuable data, revenue and brand image,” said Hoyos.

With the impending need to abide by a new General Data Protection Regulation, closing these loopholes will be a necessity.

Gordon Hunt was a journalist with Silicon Republic

editorial@siliconrepublic.com