Systems still left open to former employees

Many companies fail to protect sensitive data from embittered ex-employees by not properly and quickly terminating all access when someone leaves the company, according to a new study.

A survey by access management firm Courion found that, although the majority of IT managers reckon that terminated employees will not attempt to remotely access data, over half admitted to having no real idea of what access routes remain active after someone leaves the company.

"The fact that 53 per cent of IT managers are largely unaware of employee access rights is of great concern, and has been exacerbated by the high frequency of mergers and acquisitions in the current climate," said Stuart Hodkinson, general manager at Courion.

"The time for over confidence has passed. It is important for IT managers to close these holes by undertaking regular audits, and ensuring that employees have access only to the information they need to do their jobs."

This proliferation of what Hodkinson calls "zombie accounts" is also aided by the fact that 28 per cent of respondents said that their company still provisions accounts manually, making delays and errors in deactivation much more likely.

The survey found that nearly half of businesses take more than a day to inform the IT department of a departing employee, and around a third admit that it takes more than a week to shut off access to systems.

Hodkinson sees this as a worrying window of opportunity for disgruntled employees to attack internal systems, or obtain valuable information that could cost the company a lot of money and tarnish its reputation.

The survey also revealed that nearly one in 10 companies could never be completely certain that terminated employees no longer have access to IT systems.