Assessing the Risk of the Former Employee
Employees leaving a company can pose a real risk to the security of an organization
Many years ago, I left a job to take a new position. Several weeks after I made the move, I was searching for some information and realized that it may have been in my former email inbox. On a whim, I checked to see if I could still log in. Not only was able to access that inbox, but I discovered I still had access to everything on the network, including sensitive employee records and the financial database. I reported that I still had access, but on periodic checks, I stayed on the company’s active list for at least six months after I had left. Imagine what I could have done if I was vindictive!
A few years ago, I received a letter from that company telling me that its network had been breached and my records may have been compromised. Although the company didn’t reveal the source of the breach, I couldn’t help but wonder if it was due to someone who left under bad terms and took advantage of not being deactivated from network accounts.
We tend to think of malicious insider threats in terms of current employees, but employees who have left or are on their way out the door can pose real risk and cause serious damage. A recent study from Gurucul found 1 in 10 would take as much corporate information with them as possible when they left, while another 15% said they would delete files or change passwords.
While a disgruntled soon-to-be former employee or an ex-employee with access to the network can wreak havoc, you also have to pay attention to the ex-employee who thinks they are doing something innocent, such as gathering some personal information about their co-workers so they can stay in touch. That minimal access could result in a violation of data privacy regulations or industry compliance laws, and it is the organization left paying the fines.
Can You Really Trust Them?
According to a 2017 OneLogIn study (the most recent I could find), 48% of former employees continue to have access to the corporate network, and IT departments admit that deleting them from the system is a slow process, sometimes taking a month or more. You may think that this isn’t a problem; after all, these folks once worked for your company and you trusted them with passwords and sensitive information then, so these former employees shouldn’t pose any real risk. Right?
“Employees who pass preliminary vetting and background checks may now—or in the future—face any number of circumstances that entice them to break that trust: pressure through intimidation; being passed over for promotion, extortion or blackmail, offers of large amounts of money or simply a change in personal conditions,” said Steve Durbin, managing director of the Information Security Forum.
Tips for Secure Employee Turnover
“When employees leave a company, in general it’s expected for both parties to remain professional and for the separation to go smoothly as outlined in an organization’s employment documentation,” explained Heather Paunet, vice president of Product Management at Untangle. “Nevertheless, as companies expand employee connectivity with company-provided devices, BYOD policies and remote access abilities, it is in the company’s and the employee’s interests to make sure that there is no doubt about ongoing access to assets, applications and data.”
Paunet provided the following five examples of how companies and employees can ensure a smooth transition without employees posing the risk of compromising network security:
• Many employees ask to keep their work laptop or other company-provided devices when they leave the company. The IT department should either have a policy that prohibits laptops from being taken after employee separation, or a way to ensure the devices are wiped clean, with all work-related assets removed, as part of the separation process.
• Employees have access to more and more business applications that are hosted in the cloud. Employees can access these apps from any device, on or off of the corporate network. IT departments can minimize post-termination access by limiting how employees interact with the software while employed. Defining access levels in the beginning will make it easier to remove access permissions when an employee leaves the company.
• Having a single sign-on policy is advantageous for onboarding and offboarding. Instead of having to remove accounts from every system that an employee uses, the account can be removed in one location and all system access privileges will be propagated through all business assets and applications.
• When the IT department is setting up the corporate network, using a unified threat management solution so that network access requires a username and password or specific MAC address ensures that employees leaving the building no longer have access to the corporate network once their user account has been removed.
• IT departments should be notified in advance, when applicable, of an employee termination. This will allow them to prepare backup, restoration and preservation of any corporate data the employee was responsible for managing.
