Organisations in the UK and the US are neglecting to deploy vigilant post termination processes, allowing ex-employees continued access to systems and data after they have left their position, research from security software provider IS Decisions has revealed. Over a third (36%) of desk-based workers in the UK and the US are aware of having had access to a former employer’s systems or data after having left the organisation.
This finding, explored in IS Decisions new report ‘From Brutus to Snowden: a study of insider threat personas’, potentially highlights an even bigger problem, as an even greater number of ex-employees may still have access to data without even realising it.
It also differs wildly across age groups, with a much larger 58% of 16 to 24 year olds and 48% of 25 to 34 year olds stating awareness of having had continued access to a former employer’s systems or data. This continues to decrease for older age groups, averaging just 21% for those aged over 55, which could be attributed to younger age groups moving jobs more frequently, but does suggest that the issue is a growing one.
Acting on access
Of the 36% that were aware of their continued access, 9% actually chose to use it, meaning nearly one in 10 ex-employees access systems or data from their former employers. Once again, this tended to be higher for younger age groups, averaging 13% for all those aged 16 up to 34.
The worst industry sectors for allowing their ex-employees to continue to access systems are surprising, with HR and recruitment and IT being the joint top, along with arts and culture at 46%. This suggests that those industries that should know better, are in fact worse than the rest.
The most likely job role for an ex-employee with continued systems or data access to have is marketing, with a huge 68% of this sample stating this was the case. The next highest is potentially even more worrying, with 56% of those handling sensitive company data working in legal roles continuing to have access after leaving an employer.
François Amigorena, CEO of IS Decisions, said, “As the number of disparate systems and networks we use in our every day working lives increases, it’s natural that access management is becoming a more difficult problem to address for organisations. Marketing departments apparently suffer from this worst of all; between email, social media, CRM systems and everything else there is a lot to cover.
“The fact is though, that an ex-employee is more likely to have incentive than anyone to put this access to malicious use. Former employees are probably the greatest insider threat, yet they are the easiest to address; just make changing passwords and deactivating accounts a part of the termination process. Yet businesses are failing to do this, and worse still businesses in the industries you would most expect this to be standard procedure, IT and HR, are failing even more than the rest.”