Does your company have a security exit strategy?
The guest who never leaves
One of the best signs that the economy is improving is the increasing number of employees who are voluntarily leaving their jobs—hopefully for better opportunities.
More often than not, though, the employee never truly leaves the company or the department. Many employers do a very poor job at conducting an IT exit interview, and in turn, that means former employees continue to have access to the company’s network, their old email accounts, and files and databases.
This creates a serious security risk, particularly at a time when insider threats are peaking and intellectual property poaching is making national news. It seems like this should be an easy security fix, yet it continues to get ignored.
Vengeance is theirs
In many companies, the responsibility for provisioning apps falls to different departments: email is provisioned by IT, HR provisions payroll apps and department managers provision line-of-business apps, explained Ryan Barrett, CTO with Intermedia.
“Having this responsibility divided means that, when an employee leaves the company, promptly communicating the departure to everyone who needs to know becomes a challenge,” Barrett stated. “This simple hurdle is the main thing companies struggle with when developing a unified IT exit strategy. In fact, our Rogue Access study found that 89 percent of former employees retained access to sensitive corporate applications after their departure, while 60 percent were not asked for their cloud logins when they left their companies.”
When former employees continue to have access to the network or data once they leave the company, you open the door for unnecessary risks. These are people who may have left under unhappy circumstances—maybe they hold a grudge against an ex-boss, maybe they were passed up for promotions or raises—and want to seek revenge. When these former employees have all the same access as current employees, they can, and too often will, wreak havoc—either on purpose or accidentally.
“An ex-employee could bring account and billing data to competitors or use product plans to beat your product to market,” said Barrett. “Or they could unknowingly delete sensitive or valuable data.”
What makes ex-employees a greater threat than most insiders is the lack of institutional control. “If you have an ex-employee with access to your network, chances are you aren’t watching them,” said Greg Kelley with Vestige Digital Investigations. And, Kelley added, you have no control over that former employee, and that can provide extra incentive for doing harm. “After all, the company isn’t going to fire them.”
A big problem, but an easy solution
The risks from former employees are a security black hole, often ignored or misunderstood. At the same time, it is the security problem most easily fixed. It’s done by adding a network security component to the exit interview.
“The exit strategy should include when IT is notified of the termination,” said Kelley. “Maybe it is the day of or the day before so that IT has a chance to determine what accounts should be removed.”
The strategy should include how to ensure that the employee leaving brings their company devices to the meeting. Legal should be advised in the event that the employee is under a litigation hold (duty to preserve data for a lawsuit), Kelley added. Also, if the terminating employee is hostile or holds a valuable position, consideration of making a forensic image or doing something to preserve the entire contents of the hard drive should be included. The strategy should be reviewed by management as well as all departments involved.
Finally, there should also be a checklist that includes items such as applications the employee accesses, secure documents within their control, and credentials to internal and external systems.
These tips are simply guidelines. There is not going to be a one-size-fits-all approach, says Darren Guccione, CEO of Keeper Security; every industry and business will have its own unique set of issues that must be addressed.
Guccione adds that businesses must get rid of the attitude that security is IT’s problem alone. All departments in the company have to collaborate to come up with a security plan with an IT exit strategy.