There are of course many aspects to managing data and cyber security in an organisation and one of the simplest and most often overlooked ones is that of identity and access management (IAM). Basically, IAM is controlling what, how and when users access an organisation’s resources.
Although many of the bigger organisations have dedicated IT and HR resources to manage IAM, with strictly-defined policies, this is not always the case, especially in smaller organisations with more limited resources. In such cases it’s often the job of one or two individuals whose core work is something more demanding and critical to the day-to-day running of the business, so they don’t get around to managing IAM and eventually find it overwhelming. In many cases, user access is assigned to a new employee and simply left as-is, even if that person eventually leaves the business, and this
presents some key vulnerabilities that can easily be exploited. Although IAM is important, it can take time and constant attention to manage, especially when there is a relatively high turnover of employees.
Removing ex-employees as users in an organisation is a practice that IT staff eventually do usually get around to doing but it’s not always considered a priority. All employees in a company pose a potential risk to the organisation’s security due to having access to important resources. This is known as an internal vulnerability and anyone can be fooled by a malicious email masquerading as a request for information or a quotation. Increasing user awareness, implementing security systems
and email filtering helps manage this but ex-employees can pose an even greater risk to security if their access post-employment isn’t managed properly. Depending on their time spent at the company, such individuals will have learnt something about the organisation’s operation and could use such knowledge to the detriment of the company or have someone else they may or may not know hack their account and do something malicious.
Apart from dealing with user access issues, most often it makes sense to re-direct an ex-employee’s e-mail account to another employee in the same department so that anyone corresponding with the ex-employee can be advised that they have left the company and assistance offered by the new recipient, in the interests of the company’s reputation and its dealings with new and existing customers. Alternatively, an auto-response message can be put on the e-mail account to say that the person has left, together with another person’s mail address copied in on the response, or given as an alternative contact person. Re-directing or putting an auto-response on an ex-employee’s e-mail account can be done for a limited period of several weeks or months and thereafter the e-mail account should ideally be deleted. One should also change the ex-employee’s account password for their e-mail as soon as they leave and ensure that the new password is very secure and not easily hacked.
The following are some of the more important items needing attention when a person leaves an organisation:
- Manage their e-mail account. Failing to do this could also result in the account being hacked and used for spam purposes which can bring the organisation into disrepute or even have it fined under new legislation currently being enacted. An e-mail account could also be used for phishing/spearphishing attacks on others, or to intentionally bring a remaining staff member/director/owner or the company into disrepute if it is still accessible.
- Remove workstation logins to prevent unauthorised remote access from outside the business.
- Delete access to company data resources such as CRM databases, accounting systems and any other data on servers or in the cloud.
- Remove network shares to help prevent ransomware attacks or the installation of malware.
- Check for possible software cloning and piracy left installed by ex-employees.
- Do vulnerability scans on the ex-employee’s computers and, if possible, the whole network
they had access to in order to check for any malware left by them either intentionally or
unintentionally.
What an ex-employee or someone else might do with their historic access in an organisation is usually unclear until the damage is done. And not all ex-employees are malicious or have criminal tendencies of course. The simple solution is to revoke all access and remove all their accounts as soon as the employee leaves.
A caveat to this may be certain accounts that need to be retained for the effective running of the business going forward, such as:
- Email archives – access to old business-related emails.
- Re-use of an account by a newly-appointed employee or other employee in the business.
- Access to user-specific systems or software – e.g. for accounting or banking purposes, although these are typically the most vulnerable assets and new profiles and users need to be created urgently and preferably switched over to the new person before the existing one leaves the company. This will also help with access to logging and auditing.
Managing cyber and information security is a process that needs constant updating to keep up with changes in technology. Managing user accounts is not only important, but an integral component to reducing internal and external threats. It only takes one compromised account to potentially bring a business to its knees, as has been proved on numerous occasions with real-world examples of just this type of scenario happening in recent years. It always makes the most sense to be proactive and implement best practices in an organisation, such as the Principle of Least Privilege (POLP).