News Feature | October 22, 2014

HIT Execs Need To Be Wary of Former Employees

Christine Kern

By Christine Kern, contributing writer

HIT Executives

A report reveals former employees often retain crucial access information that can allow rogue access.

Ex-employees frequently retain some degree of access to corporate information, according to a new report created by Osterman Research for business applications cloud-hosting vendor Intermedia . The study found 89 percent of former employees retained access to at least one login and password for such services as Salesforce, PayPal, SharePoint, Facebook, Basecamp, Shopify, Desk.com, Office 365, Google Apps, Mail Chimp, and Wordpress, among other corporate applications.

Among other findings, the study revealed 45 percent can access “confidential” or “highly confidential” data, 49 percent admitted that they had actually logged into ex-employer accounts after leaving the company, and 68 percent admitted to storing work files in personal cloud storage services.

The survey of 379 participants was conducted in August 2014 with each respondent having left a company within the past six months. Twenty-four percent of those surveyed still had access to a PayPal account used in their previous employment, while 21 percent still had corporate Facebook access and 18 percent had access to a professional LinkedIn account.

According to the report, a full sixty percent of respondents were not required to provide their cloud or other logins during the exit interview.

“It’s not surprising that cloud apps are falling through the cracks during the employee off-boarding process,” according to the report. “In many companies, the responsibility for provisioning apps falls to different departments. Email is provided by IT, payroll apps are provisioned by HR, and line-of-business apps are provisioned by department managers. With this approach, there is no clear responsibility for decommissioning and deprovisioning. The result: rampant rogue access.”

The risks of rogue access include stolen secrets, lost data, regulatory noncompliance, problems conducting e-discovery, sabotage and hacking, among others, and not just from a disgruntled former employee. The possession of such data outside of the corporate context also presents an opportunity for hacking if an ex-employee’s device is stolen with all the passwords to your systems stored in plain text.

In regulated industries such as finance or healthcare, the report asserts, extra compliance measures must be taken to protect against data breaches. The report provides a list of suggestions to better control access to corporate data and accounts:

  • Eliminate access to outside email/internet.
  • Restrict access to certain sites/app (like Facebook) to read-only.
  • Only allow access to company-approved sites.
  • Require employees to use desktop machines or dummy terminals.
  • Do not allow employees to take laptops or work computers home.
  • Remove the ability for employees to utilize their USB or external hard drives to save data from their computers.
  • Implement an approval process for all outbound mail.
  • Only allow work email and information to be accessed on company-issued mobile devices.

The study also includes a handy “checklist” that can be used when completing an exit interview to ensure that all access to sensitive data has been successfully closed off. It includes actions such as collecting company equipment and access items, instructing the former employee to remove personal data from company devices and accounts and having them acknowledge that their data has been removed from personal services and devices, securely wiping the employee’s computer and retaining custody of all equipment, and disabling employee accounts on external web-apps.