How much is the security risk each time an employee leaves a company? Unfortunately, many enterprises don’t manage the risk very well. Often, processes for cancelling passwords or retrieving physical assets may be slipshod, or even non-existent.
Research by IS Decisions highlights the problem: Over a third (36 percent) of desk-based workers in the United States and the United Kingdom are aware of having access to a former employer’s systems or data after leaving an organisation. The number is even higher for younger workers – more than half (58 percent) of workers between 16 and 24 years of age say they still can access a former employer’s systems or data, and almost half (48 percent) of 25- to 34-year-olds say they can. The higher numbers in lower age groups may reflect that these groups change jobs more frequently. Still, even among workers over age 55, 21 percent say they can still access a former employer’s systems. Even worse, more than 1 ex-employee in 10 actually chooses to use the access to a former employer’s data, according to the research.
“Former employees are probably the greatest insider threat,” says François Amigorena, CEO of IS Decisions, a security software company that helps organisations like Barclays Bank, IBM and the U.S. Department of Justice secure their employees’ network access and user sessions.
You see the same pattern in the physical security world, too. How often do employees or managers leave a company and fail to return an access control card or the key to the front door? How vigilantly do administrators of access management systems delete permissions and credentials when an employee leaves? The familiarity of a former employee might easily encourage unwise relaxing of physical access control policies among friends who still work at a site.
Whether it’s logical or physical access, vigilance may be lacking. Important processes to ensure security may not be in place, or may not be observed. Clearly the best time to address the situation is before a security breach happens.