When employees are terminated or move on to new roles, they're often taking access to corporate data with them. For some companies, this access leads to a data breach.
Researchers at identity management firm OneLogin polled 500 IT decision makers to learn about how they provision and deprovision, or terminate, staff login information in-house. Results indicate most aren't doing enough to protect against the threat of ex-employees.
Twenty percent of respondents report their failure to deprovision employees from corporate applications has contributed to a data breach at their organization. Of those, 47% say more than 10% of all data breaches have been the result of ex-employees.
Nearly half of respondents are aware of former employees who can still access enterprise applications following their departure. Half of ex-employees' accounts remain active for longer than a day after they leave. One-quarter of respondents take longer than one week to deprovision former employees, and one-quarter don't know how long accounts remain active after workers leave.
"The value of the data at risk is higher than ever," says Tom Thomassen, senior staff engineer of security at MarkLogic. In the early stages of the cloud, businesses first moved less critical information to data lakes and cloud environments; as they began to trust the cloud, they moved larger amounts of mission-critical data to centralized data environments.
"The net result is data breaches that are much more devastating than in the past and unfortunately, more frequent," he adds.
The threat of ex-employees has grown as companies adopt third-party apps for various processes, says OneLogin CISO Alvaro Hoyos. Up until the 2000s, people would have a few applications installed on their desktops -- spreadsheets, processors, general ledgers. Then they began to transition to cloud services.
"Over time, a lot of companies have been migrating their internal applications, used to run their own businesses, to the cloud."
Instead of using homegrown systems, businesses will turn to the growing number of vendors creating different tools for specific needs. Cloud providers specialize in systems for commission, ledgers, marketing, purchasing, paying invoices, doing expenses. As the surface area expands, companies have to deprovision 20- to 30 applications per worker instead of the usual four or five.
"There's this proliferation of applications," Hoyos continues. "Because of that, the risk has increased exponentially."
Each ex-employee presents a different threat depending on their role and access level. A former salesperson, for example, could use old credentials to get valuable information like sales forecasts, contacts, and lists of prospects to give to competitors. They may not have access to their corporate office or email, but to a Dropbox or Box account where information is stored.
Similarly, operations employees have access to more applications, including custom applications and internally created applications. An engineer could create an unauthorized system, or copies of a system, in the cloud without other employees' knowledge.
Operations employees were the hardest to deprovision, reported 26% of respondents, followed by engineering and sales (20%), HR (18%), finance and customer support (16%), and marketing (13%).
The amount of time it takes to deprovision an employee depends on how many applications they used and how long they've been gone from the business, says Hoyos. Terminating someone can take minutes or hours, depending on the application. Admins also have to think about how different tools integrate with one another.
"There are several ways to mitigate, prevent, and protect against insider threats," says Thomassen. Generally these techniques fall into three categories: access control, monitoring, and detection.
With respect to access control, it's best to use industry standards for authentication like LDAP, PKI, Kerberos, two-factor authentication, implemented at the organization level, or ensure accurate identification. Databases are set up to do this, he says, and some provide more granular authorization than others.
Monitoring data to see how it's updated and accessed is tough, he says. Most tools for this attempt to gather enormous amounts of information from around the network related to server activity, user logins, and network access so they can detect possible breaches and unauthorized access.
"This is very difficult and this is one reason why there are so many data breaches today," Thomassen adds.
Businesses are still grappling with how to tackle the insider threat. Sixteen percent of respondents in the Dark Reading Strategic Security Survey said preventing data theft by employees was one of their greatest IT security challenges.
Verizon's Data Breach Investigations Report found in 60% of cases involving insider and privilege misuse, insiders leave with data in the hope of converting it into cash. Sometimes it's unsanctioned snooping (17%) or taking data to a new employer to start a rival company.