Cyber security veterans will tell you that managing vulnerabilities is a process and that there are many aspects to consider when it comes to securing an organisation’s network and resources. One of these is Identity and Access Management (IAM) which involves controlling what,
how and when users can access various core company resources.
For many organisations, the IT department together with HR manage this with strict policies, but that’s not always the case. In smaller businesses it’s often the job of one or two people to control, which can be overwhelming, especially when it’s not their core job. In some cases, user access is assigned when a new employee starts and then just left as-is. IAM takes time and constant attention to manage properly, especially when employees exit the company often – for example, every few months.
Removing users
A key security consideration is that of removing users. This is a practice that many do but is not always considered a priority. Employees can pose a potential risk to any business’ security due to them having access to its resources. This is known as an internal vulnerability. Anyone can be fooled by a malicious email masquerading as a request for information or quotation which can usually be ameliorated by increasing user awareness, implementing security systems and email filtering. Ex-employees, on the other hand, can pose an even greater security risk as the organisation no longer has much control over them. Depending on their time spent at the organisation, they may have learnt about some of its more confidential aspects that put it at risk to outsiders.
The most sensible procedure for dealing with ex-employees is to revoke any access they may have had as soon as they leave, including the following with examples of the possible downside of not doing so.
- Workstation login: unauthorised remote access from outside the business
- Access to company data/information: theft of databases, clients, etc.
- Network shares: ransomware encryption or malware installation
- Email: spam and misuse
- Software: cloning and piracy
What the ex-employee may do with their unapproved access is unclear until damage is done. One thing can be said with confidence though, money is an effective and powerful motivator – even when it comes from the wrong kinds of people. The simple answer is to revoke access and all accounts as soon as the employee leaves.
Some businesses may want to hold onto the account for reasons such as:
- Email archive – access to old business-related emails
- Reuse of the account for a new employee
- Access to user-specific systems or software – accounting or banking
These are all reasonable reasons for keeping a user account active but there are downsides to these as well. For example, any person with these credentials could log into any number of systems within the business and wreak havoc, with no way to trace who the actual culprit was. To prevent this, new user accounts should be created for each new user. This will help with access logging and auditing and is especially true for accounting, banking and any business-critical resources.
In terms of ex-employee email accounts, they ideally need to be forwarded to another employee for a period after the ex-employee has left the business, or at least have an automated reply message sent to anyone sending a message to the account, informing them that the person has left the organisation with an alternative mail address of another employee provided.
Effective cyber security is critical to all organisations today and managing user accounts is an integral aspect of reducing internal and external security threats. It only takes one compromised account to potentially bring a business to its knees. One needs to be proactive and ideally implement best practices such as the Principle of Least Privilege (POLP).