Many SME employees retain alarming levels of access to critical business applications after they’ve stopped working for a company, a survey for cloud services firm Intermedia has claimed.
According to this research, 89 percent of former staff surveyed were still able to use their logins to access popular applications such as Salesforce, PayPal, SharePoint, Facebook, Google Apps and even email.
In total, 45 percent reckoned this would allow them to access confidential or even highly confidential data, with 24 percent mentioning PayPal, an account opening up the possibility of financial abuse.
More to the point, 45 percent admitted having logged into a company account after leaving their employment, presumably without authorisation. Sixty-eight percent also stored work files in a personal cloud, taking that data beyond the control of even the most assiduous IT department.
Intermedia’s web promotion omits to mention how many people were included in the survey, where they were located or how they were chosen although ComputerworldUK understands that the sample size was 379.
So is this August ambulance chasing or the latest example of poor security management?
The likelihood that employees leave businesses without having account credentials changed is highly plausible, not least because businesses now have to manage large numbers of them, sometimes at departmental rather than IT level. To the ones mentioned earlier must be added other common applications such as LinkedIn, Twitter, Office365, and Wordpress.
Some of this depends on the type of firms the survey respondents worked for, their country of origin and how long access lasted. Carried out by Osterman Research for Intermedia, Computerworld UK confirmed that the survey was of US and Canadian workers which means that the results don't necessarily hold for other countries.
However, Intermedia remains convinced of the issue’s universality.
“Most small businesses think ‘IT security’ applies only to big businesses battling foreign hackers,” said Intermedia president, Michael Gold. “This report should shock smaller businesses into realising that they need to protect their leads databases, financial information and social reputation from human error as well as from malicious activity.”
Responsibility for application de-commissioning remained confused, often split between different departments, he said. IT departments could become blind to the level of access.
Intermedia’s solution is for SMEs to use cloud services such as its own SecuriSync.
In UK security circles, Intermedia is best known for buying UK startup SaasID in September 2013.