Two men in Indiana, US are facing up to five years in prison and a quarter of a million dollar fine after they were allegedly caught using old passwords to gain access to the company’s network even though they were no longer employed there.

Federal authorities said the two men had left their jobs in 2004 and early 2005 but were still able to connect to their former employer’s network by using old passwords in 2006. Federal authorities are charging the pair with alleged intrusion charges and gaining access to proprietary information.

There is no doubt that such an incident should never have occurred had the company in question followed security best practice in terms of resignation or termination of employment for its employees (or making sure that passwords expire after a certain period of time?).

Security experts point out that the period between the date when the employee hands in his or her letter of resignation and the date when the employee leaves the company is crucial and immediate action is advised.

There are important steps that a company’s security team needs to take especially if the departing employee is a member of the security team or has access to critical systems or confidential information. All security arrangements must be changed to exclude the ex-employee from access to the building and to information systems thereby reducing the risk of data leakage or attempts to cause damage to the network.

These can be summarized as follows:

  • Removing the person’s name from all security posts, email distribution groups
  • Informing key personnel, especially those responsible for the physical security of the organization, that the individual is leaving the company and when.
  • Retrieve any key code access cards, close and disable employee accounts and email accounts, keys or other access items. Change administrator passwords if employee is aware of them.
  • Remove or change all passwords that employee may have to all secured systems, be they servers, workstations, databases, VPN access codes etc
  • Inform other staff members including external parties that employee is no longer employed. This is critical for high-level employees.
  • Ensure that the employee is not the only person to know passwords to critical systems (i.e. he or she is not a single point of failure and can hold the organization to ransom.)
  • Monitor all systems accessed by the employee from the day of resignation to ensure that no data is copied from the network. Provide temporary access until the employee’s last day and then disable those accounts and permissions.

Although most employees leaving the company will not have any malicious intentions, those who are disgruntled or leaving to join a competitor may be tempted to steal information or equipment.

Taking appropriate and immediate action when an employee resigns or his role is terminated will ensure that security is not compromised. Cases similar to the one above may be rare but no organization should take the risk.