Unauthorized access to corporate networks and resources by ex-employees is a documented issue, but an emerging endemic insider threat problem is coming into focus: new research has revealed that one out of three companies in the US and UK are neglecting to deploy vigilant post-termination processes, allowing ex-employees continued access to systems and data after they have left their position.
The report from IS Decisions also showed that more than a third (36%) of desk-based workers in the UK and US are aware of having continued access to a former employer’s systems or data, with nearly one in 10 actually accessing it.
As for awareness of the access, the report shows that it differs wildly across age groups, with a much larger 58% of 16- to 24-year-olds and 48% of 25- to 34-year-olds stating awareness of having had continued access to a former employer’s systems or data. This continues to decrease for older age groups, averaging just 21% for those aged over 55, which could be attributed to younger age groups moving jobs more frequently, but the results do suggest that the issue is a growing one.
Of the 36% that were aware of their continued access, 9% actually chose to use it. Once again, this tended to be higher for younger age groups, averaging 13% for all those aged 16 to 34.
The worst industry sectors for allowing ex-employees continued access to systems are surprising, with HR/recruitment and IT sharing double billing as the worst offenders. Arts and culture came in second, at 46%.
Also, the most likely job role for an ex-employee with continued systems or data access is marketing, with a huge 68% of the study sample. The next highest is potentially even more worrying, with 56% of those working in legal roles continuing to have access after leaving an employer, all the while potentially handling sensitive company data.
“As the number of disparate systems and networks we use in our everyday working lives increases, it’s natural that access management is becoming a more difficult problem to address for organizations,” said François Amigorena, CEO of IS Decisions, in a statement. “Marketing departments apparently suffer from this worst of all; between email, social media, CRM systems and everything else there is a lot to cover.”
He added, “The fact is though, that an ex-employee is more likely to have incentive than anyone to put this access to malicious use. Former employees are probably the greatest insider threat, yet they are the easiest to address; just make changing passwords and deactivating accounts a part of the termination process. Yet businesses are failing to do this, and worse still businesses in the industries you would most expect this to be standard procedure, IT and HR, are failing even more than the rest.”