Do Your Ex-Employees Have Keys To Your Cyber - Castle? What Can You Do About It?
A worldwide IT security firm recently conducted a survey of nearly 300 IT professionals about current system security issues. Those surveyed came from businesses of varying sizes, with 55 percent working in organizations with at least 1,000 employees. The results reflect some troubling statistics in password security and system access control.
Surprisingly, over 13 percent of those surveyed can access a former employer's system with their old credentials, and some are still able to access the systems of two or more previous employers. Additionally, almost 20 percent do not have or are unaware of having an organizational policy that revokes system access to former employees when they leave the organization.
The survey also found most IT professionals are still wary of the level of security found in cloud applications. Eighty percent of respondents keep their most sensitive data on their own systems, and almost 75 percent report applications downloaded from the cloud cause them security problems.
Another interesting survey result is 23 percent of respondents do not change their service and process account passwords within the recommended 90-day time frame.
Whether organizations lack security training or are overwhelmed with the difficulty of managing such a dynamic environment, the repercussions of neglecting password security and control of system access is an increased risk of a data breach. "Information Security Survey 2014," go.liebsoft.com (May 28, 2014).
Commentary and Checklist
Just as employers protect their financial assets from embezzlement, they must also protect sensitive data from theft, destruction, and corruption.
Research conducted by IBM reveals organizations are attacked an average of almost 17,000 times per year, and the trend is escalating.
A comprehensive cybersecurity plan can prevent an attack from becoming an actual breach and can limit the costs associated with stolen or corrupted data.
The above survey highlights the type of lax attitude toward system security that has been found in numerous past studies. The failure to delete the access credentials of former employees is of particular concern. A cybersecurity plan should include procedures for employees who are leaving the organization.
The plan should outline appropriate communications between IT staff and the human resource department to make sure system access is revoked in a timely manner when employees leave an organization.
Also, conducting an exit interview gives employers the opportunity to remind a departing employee that the organization's information is confidential and should not be made known outside the organization. This should follow an already existing disclosure policy.
One security expert suggests the following steps to make certain your departing employees do not become a cybersecurity risk:
- Keep an updated record of the hardware (laptops, tablets, or smartphones) each employee is using. Make sure employer-owned hardware is returned.
- Maintain information on employee access rights-an employee may have access to numerous systems or databases, and a complete list will aid in removing an employee's access entirely.
- If the employee had access to vendor or client systems, be sure they are informed of the employee's departure.
- Check all computers to which the employee had access, looking for installed spyware systems. Malware or keystroke loggers can be easily installed and are often overlooked.
- If the departing employee had access to internal IT systems, be sure to scan those systems for alternative logins and back-doors the employee may have created for unauthorized access. Do not overlook background systems that require login access (routers, firewalls, intrusion prevention systems, etc.)