Does your company have a policy for revoking passwords when an employee leaves the business? If not, you could be facing a problem in terms of IT security, financial loss and, depending on which country you are in, even breaking business regulations.
A recent survey reported on the IT Pro website titled ’36% of ex-employees are breaking the computer misuse act’ quotes figures that will come as a surprise to the directors and risk-management teams of corporations.
According to research for German IT security specialists Protected Networks, almost half (49%) of IT workers admitted that they still had access to a form employer’s IT resources. Of those, 75% admitted they continue to access those resources, even a year after leaving the company.
Was the Sony hack caused by an ex-employee?
The FBI still puts the blame for the infamous Sony hack on the North Korean government. But one source points to an inside job from an employee who had lost her job.
The UK Daily Mail published an article titled ‘Crippling Sony hack was the work of a disgruntled former employee named ‘Lena’ who was laid off.’
According to the Daily Mail, Silicon Valley company Norse – who provide Real-Time visibility into global cyber attacks – suggested that a mysterious ‘Lena’ and other ex-employees with a shared dislike of Sony had enabled the attack.
As a result of the attack, Sony reported $35 million in IT repairs, and figures of around $100 million circulated as the total cost of the hack.
Minneapolis state auditor finds ex-employee could control the payroll system.
Website Minnesota Public Radio published a report titled: ‘Ex-employees’ computer access leaves Minneapolis open to breach.’
According to an investigation by state auditors, one payroll supervisor kept her access rights to the web-enabled personnel database for months after leaving her job, and three other ex-employees retained access to the state’s central bookkeeping system.
That’s just one example from what must be millions of organisations around the world who have ex-employees accessing sensitive and commercially valuable data.
What is the legal implication of ex-employee hacks?
There are legal implications of ex-employees having access to IT resources, both for the employee and the employers.
In the UK for example, the IT Pro report quoted lawyer Mark Taylor of law firms Osborne Clark as saying : “If someone accesses their former employer’s system with the knowledge or help of their new employer, that could give rise to liability for the new employer under the CMA.” The CMA is the Computer Misuse Act of 1990.
In the US, the Human Resources section of About.com wrote an article titled: ‘Employee Termination from an IT Perspective’.
The article highlighted that for employers the issue is significant too. In America, firms who allow ex-employees to access resources could fail to meet the Sarbanes-Oxley requirement. Sarbanes-Oxley is also known as the ‘Public Company Accounting Reform and Investor Protection Act’ in the US.
Different countries will have different legislation, but the common denominator is that all companies have a duty of care to their shareholders and employees.
Does your company have a policy for departing employees and IT access?
If you’re company doesn’t have a policy for managing the IT access of departing employees, then maybe it’s time for your HR and IT teams to get together.
Of course the vast majority of ex-employees would not abuse privileged access to IT systems, but if the suggested ‘Lena’ of Sony (whether she is real or not) could inflict $100m of damage … it’s not worth taking the risk.
Using Elastic Detector to check for ex-employee IT vulnerabilities.
Elastic Detector – which carries out over 50,000 daily checks for a wide range of IT network vulnerabilities – has a ‘delta’ feature which can highlight vulnerabilities associated with an ex-employee. The IT security team simply perform a network scan with and without the credentials of an ex-employee and see if there is any difference in the network vulnerability profile.
Elastic Detector works in background mode so it has no effect on network performance. Importantly, Elastic detector can also be set to look for vulnerabilities in virtual clones of dormant servers, so any ‘sleeping’ malware can be harmlessly identified without actually activating it.
If you have any views on the risk of ex-employees and IT access, please leave your comments below.