IT Fails to Protect Against Ex-EmployeesBy Ericka Chickowski | Posted 2009-06-26 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Account revocation processes are bungled at many companies.
As the economy weakens, more and more companies face the risk of mischief from once-trusted insiders, even when they’re no longer inside the organization. A survey conducted by access management firm Courion found troubling new evidence that many companies employ inefficient methods to shut off access rights to data, and that many also have no clue that this is a major risk factor.
With so firms bleeding jobs, thin-staffed IT departments can hardly keep up with their workloads. That's one likely reason that many IT organizations are failing to support the business as it trims staff in other departments.
Ideally, IT should be working hand-in-hand with HR to ensure that employee access to IT accounts is terminated as soon as laid-off workers leave the building for the last time. Unfortunately, this ideal isn’t being lived up to, says Brian Cleary, vice president of product and marketing for access management provider Aveksa.
“The root cause of this problem is the fact that organizations do not have good access change management processes or controls,” he says.
Courion’s survey shows that almost a third of companies take a week or longer to ensure that ex-employees have all of their access shut down. And just under one in ten companies report that they can never quite be certain that terminated employees no longer have access to IT systems. Even more troubling: over half of IT managers surveyed were largely unaware of employee access rights to systems.
One of the major factors leading to the lingering of open ex-employee accounts, commonly known as orphan accounts, is the lack (or misapplication) of automated deprovisioning tools. According to Courion’s poll, 30 percent of organizations still deprovision accounts manually.
Even when enterprises employ automation to deprovision, the automated functions may not cover all of the applications under the organizational umbrella.
“It’s really hard to configure the connectors and configure the drivers for (these systems) and it takes a long time to do it, so IT tends to only deploy to applications that have a high degree of change and churn,” Cleary says. “The user provisioning system does a great job with those, but the applications outside user provisioning don't get notified automatically.”
He recalls a customer who recently conducted a manual audit to find that it was experiencing 40 percent failure rates in account termination due to this disconnect.
"The time for over-confidence has passed. It is important for IT managers to close these holes by undertaking regular audits, and ensuring that employees have access only to the information they need to do their jobs." said Stuart Hodkinson, general manager at Courion, in a statement accompanying the survey results.
The evidence is clear that those who can’t or won’t take Hodkinson’s advice will be exploited by former employees. A survey by the Ponemon Institute conducted on behalf of Symantec earlier this year found that of 1,000 workers who had left their employer in the last year, 59 percent intentionally stole data from their organizations.
“Even if layoffs are not imminent, companies need to be more aware of who has access to sensitive business information," said Larry Ponemon, chairman of the institute, in a written statement. "Our research suggests that a great deal of data loss is preventable through the use of clear policies, better communication with employees, and adequate controls on data access."