Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+
 

When employees bite back – Security in organizations

on November 9, 2009

Two men in Indiana, US are facing up to five years in prison and a quarter of a million dollar fine after they were allegedly caught using old passwords to gain access to the company’s network even though they were no longer employed there.

Federal authorities said the two men had left their jobs in 2004 and early 2005 but were still able to connect to their former employer’s network by using old passwords in 2006. Federal authorities are charging the pair with alleged intrusion charges and gaining access to proprietary information.

There is no doubt that such an incident should never have occurred had the company in question followed security best practice in terms of resignation or termination of employment for its employees (or making sure that passwords expire after a certain period of time?).

Security experts point out that the period between the date when the employee hands in his or her letter of resignation and the date when the employee leaves the company is crucial and immediate action is advised.

There are important steps that a company’s security team needs to take especially if the departing employee is a member of the security team or has access to critical systems or confidential information. All security arrangements must be changed to exclude the ex-employee from access to the building and to information systems thereby reducing the risk of data leakage or attempts to cause damage to the network.

These can be summarized as follows:

  • Removing the person’s name from all security posts, email distribution groups
  • Informing key personnel, especially those responsible for the physical security of the organization, that the individual is leaving the company and when.
  • Retrieve any key code access cards, close and disable employee accounts and email accounts, keys or other access items. Change administrator passwords if employee is aware of them.
  • Remove or change all passwords that employee may have to all secured systems, be they servers, workstations, databases, VPN access codes etc
  • Inform other staff members including external parties that employee is no longer employed. This is critical for high-level employees.
  • Ensure that the employee is not the only person to know passwords to critical systems (i.e. he or she is not a single point of failure and can hold the organization to ransom.)
  • Monitor all systems accessed by the employee from the day of resignation to ensure that no data is copied from the network. Provide temporary access until the employee’s last day and then disable those accounts and permissions.

Although most employees leaving the company will not have any malicious intentions, those who are disgruntled or leaving to join a competitor may be tempted to steal information or equipment.

Taking appropriate and immediate action when an employee resigns or his role is terminated will ensure that security is not compromised. Cases similar to the one above may be rare but no organization should take the risk.

About the Author:

David Kelleher is Director of Public Relations at GFI Software. With over 20 years’ experience in media and communications, he has written extensively for business and tech publications and is an editor and regular contributor to Talk Tech to Me.

 
Comments
John Mello November 11, 20099:56 pm

While taking appropriate and immediate action when an employee resigns or his or her role is terminated will ensure that security is not compromised, many corporations still underestimate the risks sacked workers pose to their operations. Just how clueless many organizations are to those risks was revealed in a study (http://www.courion.com/company/press_release.html?id=408) released this summer by the Courion Corporation, which specializes in access governance, provisioning and compliance. Among study’s findings were that

–53 percent of IT managers are largely unaware of employee access rights to their systems;

–48 percent of companies take more than one business day to alert their IT departments that an employee has been terminated;

–23 percent of the firms take an additional day or more to switch off a terminated employees access to their systems;

–34 percent of business managers acknowledged it could take up to a week before they were certain a terminated employee’s access ws shut off.

–9 percent of the companies admitted they could never be completely certain they’d cut off their former employees’ access.

“These figures suggest that IT administrators may be overconfident in their ability to prevent data breach threats from zombie accounts,” Courion said, “which can cost organizations millions of dollars in damages and tarnish brand reputation.”

David Kelleher November 12, 200910:31 am

Thanks John. The statistics are worrying, to say the least. Our own research in September in the US and last month in France shows that SMBs are too trusting and that they pay too little attention to insiders. It also amazing how IT managers can be largely unaware of employee access to their systems. I think this is an area that needs to be addressed much more by the security community.