Barely a quarter of US and UK firms have processes in place to neutralise the security risks of former employees accessing company systems and data, according to a study by IS Decisions.
After questioning 500 IT professionals (an equal number in both countries) the firm found that half of them worked at organisations with an insider threat programme of some sort although the majority of the rest were planning something for 2015.
US firms seem more likely to be running a programme than firms in the UK, possibly IS Decisions speculates, because the sheer number of breaches reported there have made businesses more aware of the risks.
Despite this, only 24 percent of these programmes included an ‘exit’ process designed to ensure that departing employees couldn’t access systems after leaving, a potentially risky oversight. Organisations were more likely to fall back on written policies and the use of security monitoring tools.
Another recent report by IS Decisions found that a third of those questioned inside organisations were aware of former employees that had access to internal systems, an extraordinary statistic if it stands up.
A confusing factor is whose job it is to tend to this issue, with almost 80 percent mentioning the IT department, 43 percent senior management, 24 percent middle management and around one in five employees themselves or the CTO or CIO.
“It’s often easy for companies to overlook post-employment processes when they’re worrying more about the behaviour of current employees,” said IS Decisions CEO, François Amigorena.
“However, an employee on the outside with access to your systems can be as dangerous as any hacker or virus and often your threat detection systems won’t pick up a former employee because it thinks the employee has genuine authority to access systems.
“Threats can go undetected for months, leaving a huge open window for attack. A simple employee exit checklist can help mitigate these threats,” he said.
The simplest security layer is simply for firms to take the issue more seriously and building check and balances to enure the access of former employees is removed, If this is in the lap of the security teams, they must therefore know when employees are due to leave the organisation. Tools can then be used to automate some of this, removing the management overhead.