A recent survey conducted by Beyond Identity revealed that one in four workers admit to still having access to accounts from past jobs. IS Decisions research reveals that the statistic is one in three. HR News reports that it is 47%. Whether it’s 25% or close to 50%, there is a high likelihood that former employees from every organization can access data from corporate accounts, data storage, or mobile devices. The term offboarding refers to those processes performed by a company when an employee leaves. There are the more obvious tasks. Tasks like ensuring the return of access cards and equipment and removing access rights to the corporate network. There is the transition of duties, and assuming notice of departure has been given, there is the transfer of knowledge. But when it comes to employee offboarding, this seems to be the extent of offboarding as a business process. Whether an employee exits by choice or by company decision, the current practices for offboarding have become outdated and insufficient, and here is why.
Single sign-on and the cloud
Single sign-on allows a user to sign onto a network with one set of credentials and access multiple applications. Believe it or not, in the olden days, we used to have to sign in to every single application. And in many cases, the credential rules varied dramatically. Meaning that most of us had to either write down our usernames and passwords and keep that paper close at hand, or we would ultimately forget how to log in. Of course, this would normally happen right before a crucial deadline.
While single sign-on rescued us from forgotten passwords, long waits for the help desk, and missed deadlines, it also created a bit of a hairball on the password super-highway. The problem is that while it rescued us from password hell, it does not prevent us from signing on to applications directly. Direct access is often allowed so that in the event of a network outage, access to critical applications is available via the web. The challenge is that it takes a mature business process, along with strong diligence, to maintain the list of who has direct access to what.
Unsanctioned applications – Part 1
The issue of employees loading or building applications that are not part of the corporate standard is one that we have been battling for many years. With the recent move toward applications as a service in the cloud, the use of unsanctioned applications has increased. When we subscribe to applications as a service, we must adhere to the processes dictated by our service provider. These processes do not always easily align with what it is that we want to do. The answer? Use a different application as a workaround for that purpose only. The correct answer would have been to update the business process to one that would align with an industry-standard best practice. But we are all easily led to believe that our process is special, and we simply cannot live without it.
Unsanctioned applications – Part 2
Bring-your-own-device (BYOD) was a cost-saving measure employed by organizations to have access to employees without dedicating the resources required to supply, monitor, and maintain mobile devices. Instead, employees are given a token reimbursement each month to help cover their out-of-pocket expenses. Employees are then free to download and use whatever applications suit them. When these unsanctioned apps are used for work purposes, they contain work-related data that the enterprise has no awareness of.
The COVID-19 pandemic
In his recent article published in welivesecurity, Phil Muncaster points out that the COVID-19 pandemic has created the perfect conditions for insider risk. Further to that, as IT departments scrambled to enable employees to be productive remotely, many were overwhelmed. Considering that the offboarding process is not yet a process that has been automated or centralized, this means an increased risk that there are employees who were exited during this time who still have access to corporate systems. If ever there was a time to audit system access, this would be it.
Large-capacity USB sticks have made it wonderfully quick and easy to back up personal data. The downside is that large-capacity USB sticks have made it wonderfully quick and easy to back up corporate data. This is not necessarily something that is done with malice. There are legitimate reasons when it may be necessary to copy corporate information. The issue is that USB sticks are small. They are also quite easy to lose, and they are easily forgotten. Former employees may have data from previous employers that they are not even aware of. Which, under most circumstances, seems low risk. However, it is only low risk until it falls into the wrong hands.
Cameras on cell phones
It is so handy to snap a pic of the whiteboard during a strategic planning session or an architectural diagram while determining the different interfaces that need to be built as part of a cloud migration project. But how many of us perform a clean-up exercise of our photos on a regular basis. How many organizations monitor photos on a BYOD device? How many organizations require an audit of BYOD devices upon exit?
Anchor tenant apps
Anchor tenant apps are applications that are offered to users of cloud services through third-party providers. While the cloud service itself is one that is sanctioned by the organization, the anchor tenant apps are not. Users can access these add-ons without the knowledge of the organization and use them to share the data from the sanctioned application. Like most cloud applications, the anchor tenant app can be accessed directly via the web. When employees exit, the organization may be completely unaware that data has been copied. This is an important consideration when in contract negotiations with a cloud service provider.
It’s easy to do. While there are many times in life when it is easy to assume that history is a good predictor of future behaviors, this is not one of them. Just because there has not been an occurrence of misuse of data by a former employee, it does not mean that it will never happen. Today, more than ever, our complacency is a window into a rather large gap in our security strategy, and this one will take some time to close. Offboarding is about more than ensuring the return of equipment and disabling network access. It’s about rewriting corporate policies. It’s about building a practice around direct access to systems that live in the cloud and locking down the use of that access. It’s about how to handle our unquestioning acceptance of the overuse of mobile devices. And it’s about learning that contract negotiations are about more than legalese.
Featured image: Shutterstock