With the spate of high-profile data breaches dominating news headlines recently, we are now all aware (hopefully) about the ever-growing threat of hackers.
But there is one security threat that companies still aren't as aware of: the ex-employee. According to a recent Centrify survey, around half of respondents admitted that it can take up to a week or more to remove access/passwords to sensitive data for someone no longer with the company.
That means there are, potentially, a lot of people walking around with the ability to seriously hurt and embarrass their former employers.
To talk more about the survey and the security threat of both current and ex employees, we spoke to Barry Scott, CTO EMEA at Centrify. The full interview can be found below.
- To start us off, give us a brief overview of Centrify's background.
Centrify helps companies secure their user identities from cyberthreats. The company recently launched its ‘State of the corporate perimeter’ survey of 200 IT decision makers in the UK and 200 in the US to find out whether organisations are as secure as they should be and whether identity and access to different levels of data are at the root of potential security beaches.
The survey showed that protecting identities is as the heart of protecting data.
- With security being such a hot topic at the moment, why are companies still taking up to a week to remove ex-employees' access to sensitive data?
It seems that data is vulnerable with ex-employees and contractors being given access to data after they leave. Around a third (32 per cent) of our respondents say it would be easy for a former employee to log in and access systems or data using their old password – this compares to over half in the US.
The issue seems to lie with offboarding or deprovisioning ex-employees and contractors once they’ve left the company. While around half (49 per cent) of respondents say this happens the day an employee leave, over half admit that it can take up to a week or more to remove access rights and passwords to sensitive data for former employees.
This is worrying as this should be as much a process for organisations as removing someone’s ID and access card to the building and should be done the moment they step outside.
- Should companies be placing more of an emphasis on insider threats or are we all becoming a bit paranoid?
Insider threats are a very real problem, especially if an employee that leaves a company has a grudge and feels like revenge. For those employees that might be looking for revenge, logging into accounts, accessing sensitive files and confidential corporate data is a very real possibility.
If employers do not ensure access is revoked when an employee leaves, the organisation is open to attack, embarrassment and potential reputational and financial damage.
With access to a social media account, such as Twitter, ex-employees have the potential to seriously harm a company’s reputation with customers, prospects, shareholders and the media. Companies need to know what their staff have access to in the first place and then put in the right processes to ensure provisioning and deprovisioning is simple, managed and controlled.
- How is the prominence of the cloud helping or hindering the issue?
The parameters – and the perimeters – have changed. The adoption of cloud applications, systems and servers means that traditional security boundaries designed to protect our identities and data have changed.
The ability to authenticate users into cloud-based and mobile environments remains the one central point of control, which is why identity is the new perimeter. Effective identity and access management (IAM) is critical in enabling data security without putting barriers in place to prevent employee productivity – one of the reasons for adopting cloud based applications in the first place.
- What steps can companies take to reduce the security risks from insider threats and ex-employees?
There are three main steps that companies can take, based on the findings of our survey.
- First is ‘stale access’ – former employees or contractors that still have access to systems and data. Companies need to keep on top of provisioning and deprovisioning. When someone joins a company, you give them an access card to get into the building and take it away when they leave. You need to do the same with their digital identity. Tidy up as people come and go from the organisation.
- Second is ‘privileged access’ – too many people have too many rights to too many things. You need to keep very tight control of privileged access, it’s the ‘keys to the kingdom’ and you’re letting people into the front door of your business. People should only have access to what they need for their job. If they move from that job to another role, they should not drag lots of privileges around with them; you take them away and give them new privileges for their new role.
- Third is inadequate monitoring to who is accessing data. Companies need to be monitoring access to data better.
- The rise of BYOD has made the containment of sensitive data even harder. What advice would you give to companies in this area?
In this era of BYOD, organisations are asking 'how do I get a handle on who has what access to what application?'. Using enterprise mobility management and identity and access management services, businesses and IT can easily manage cross-platform mobile users and devices.
Android and iOS include technologies that can be configured by enterprise mobility management solutions to ensure secure separation between work and personal life, and enterprise identities can be used to give one-click access to all of the enterprise applications you need for your job.