Survey Finds Companies Failing to Promptly Cut Ex-Employee Data Access

While one-in-five companies have experienced a data breach caused by an ex-employee, most firms still do not focus on shutting down access to former workers.

Ex-Employee Breach Threat

Companies are continuing to struggle with quickly shutting out former employees from accessing systems once they leave the company, according a survey conducted by Arlington Research and commissioned by OneLogin.

The survey of 500 IT workers found that, while one-in-five companies have experienced a data breach caused by an ex-employee, 32 percent of companies take more than a week to remove former workers from their systems. Almost half of all companies were not confident that they had completely blocked access to all former employees from their systems, the survey found.

The problem for most companies is that the issue—and the solution —crosses disciplinary boundaries within their workforce, throwing the human-resource and information-technology groups together, Al Sargent, senior director at cloud-based identity-and-access management company OneLogin, told eWEEK.

“HR and IT need to work closely to solve this problem, but they typically don’t,” he said. “HR should be the source of truth about who is employed by the company, not just your employees but your contractors, brokers and anyone who can access your information systems.”

Companies have struggled to manage the latent security threat of ex-employees accessing their business systems. In a 14-year-old study conducted by Novell, Stanford University and Hong Kong University of Science and Technology, researchers found that 43 percent of companies took more than two days to de-provision employees, while 15 percent took more than two weeks.

Yet, more companies today find themselves in the long tail of allowing access to an employee weeks after they leave the firm. The OneLogin study found that 20 percent of companies—significantly more than 14 years ago—took more than a month to de-provision former workers.

While terminated employees face stiff legal penalties for accessing data systems at their former employers, each year sees a number of such cases. In April, Jason Needham, the co-owner of NHA Engineering, pled guilty to repeatedly accessing the systems of Allen & Hoshall, his former employer and current competitor.

In March, federal officials indicted a 29-year-old Texas man for using his credentials from months earlier to hack his former employer, a healthcare facility, and access data on 13 different servers.

“Anyone who has an ounce of commonsense would not go into an ex-employer’s system and break the law,” Sargent said. “Yet, while the law is a deterrent, it is not a sufficient deterrent.”

The problem will only likely get worse, as identity-and-access management for companies becomes increasingly complex. Not only do businesses have to manage worker access to both on-premise assets, but also cloud services and mobile devices.

In addition, as more work is done by contractors as part of the expanding gig economy, the issues with access control will likely only get worse, Sargent said.

“As we have the gig-ification of the workforce, the question is how to you provision and de-provision accurately,” he said.

In addition to de-provisioning employees immediately after they part with the company, businesses must also automate the monitoring of any access to critical assets, he said. Yet, only about 40 percent of companies are using a security information and event management (SIEM) system to track who is accessing data.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...