A security team's biggest fear is an attack carried out by a knowledgeable insider, and with the economy driving job cuts within many organizations, those worries are being realized in the form of discharged workers who retain access to their former employers' IT systems, according to a new survey.
With jobs walking out the door, along with larger numbers of remote workers, many organizations have yet to account for tightening their defenses to address the ongoing trends, claims the report, published by security and password management specialists Cloakware.
Based on a survey of over 12,500 U.S. IT security workers, the report claims that among those organizations represented in the research, a minimum of 1,312,500 laid-off or fired employees retain access to company systems in total.
Overall, the report contends that roughly 14 percent of all recently discharged workers still have access to proprietary data and organizational information, "revealing critical deficiencies of corporate security policies," Cloakware said. At least 21 percent of respondents admitted that they hadn't changed employees' passwords after they were terminated.
In other efforts to save money by moving more staffers out of the office, while some 90 percent of companies that responded said they employ remote workers and 41 percent said they have increased their use of the model over the last year, most of the organizations said that they hadn't altered their authentication policies to account for the shift.
"With companies facing dwindling margins, reducing overhead costs is driving a change in employee work arrangements, but it also reveals weak protection practices - a critical issue for long-term security," David Canellos, president and chief operating officer of Cloakware. "Simply put, companies are only beginning to realize the need for more stringent standards to govern access to their critical information and protect their crucial company assets."
Other key findings of the report included:
-Disconnect between departments as to which group "owns" management of IT systems access for employees. Two thirds of respondents reported that their IT departments handle responsibility, but others involved HR and direct managers, a lack of continuity that can leave companies vulnerable to malicious former employee attacks, Cloakware maintains.
-Inconsistent internal password management policies: Some three-quarters of respondents reported that they require periodic password changes, either monthly (31 percent of those who do) or quarterly (69 percent). However, only 20 percent said they have an automated password update function that enforces the policy.
-Overly simple new-employee access: Over 80 percent admitted that for new employees, all e-mail address and password setup is the same, making it "extremely easy to take advantage of a new co-worker's access to critical company resources," the security management experts contend.
The survey was conducted in March 2009 with workers at companies with 1,000 or more employees across a wide range of vertical industries, Cloakware said.
What the report left out was that many spurned workers are probably only too happy to take advantage of their access retention, or to sell off their credentials to someone else.
A bad economy is unquestionably bad for security.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.