The insider threat does not necessarily cease when an employee leaves the organization. There are plenty of recent articles in the news with cautionary tales of ex-employees compromising company networks.
- A former employee at a private security patrol company was ordered by court to pay more than $300,000 to fix computer systems he damaged after he was fired.
- A former employee of an engineering company stole $425,000 worth of proprietary information for a competitor.
- A high level IT employee of a sportswear company was accused of setting up a phony account to create a back door to the company’s networks before leaving for another job, and using it to steal information.
Organizations typically have policies and procedures in place to change credentials and terminate access to systems and technology when an employee departs the company. The process should be the same whether the employee is in the IT department or not. How access is terminated depends upon the organization and IT infrastructure.
When all access to various systems is managed in a single directory, such as Active Directory, the solution can be straightforward. Things get complicated when the infrastructure is more complex with a wide variety of systems, multiple directories, cloud-based applications, etc. If there isn’t a dedicated procedure for what to do in case of IT member termination, then there is a chance that some access may be left open.
Outdated accounts are typically left open until someone finds out (usually someone from the IT/Security team) and only then is the access terminated. Ideally, all privileged accounts are managed and monitored via a privileged account security solution, and all identities are verified using multi-factor authentication before access is granted.
The actions of malicious IT staff makes headlines, but keep in mind they are not the only ones with privilege. All access is a privilege and should be managed throughout the employment lifecycle, from onboarding of the employee through termination. Even employees outside of IT with routine access privileges pose a risk (malicious or accidental) if those privileges are not managed carefully. Think about it – HR has access to employee information, sales has access to customer data, marketing has access to public facing communication channels etc.
Access creep
Employee roles and responsibilities are often fluid, and workers tend to accumulate privileges over time. Jobs change and situations arise that require one-time access to resources. Passwords shared for one-time access often are not invalidated or changed after they are used.
Although managing credentials and securing access to data or systems is often considered to be an IT function, typically the permissions and privileges are granted by supervisors or account administrators who do not keep IT or the human resources department in the loop. Furthermore, employees may have access to systems that IT isn’t aware of, such as a file-sharing program, marketing database etc.
HR usually handles the administrative tasks of a termination and relies on IT to deprovision privileged access. But in many cases, neither has an authoritative list of all accounts, privileges and credentials accumulated over the course of employment. As a result, it is possible for employees to retain access to networks and resources after leaving an organization, creating a new flavor of an insider threat.
Best practices
As with many aspects of security, comprehensive access management depends upon both policy and technology.
Because IT departments often do not authorize and assign all system access, a complete access management program has to extend beyond IT to all departments in the organization. This includes all supervisors and managers who grant access to systems or information to their direct reports, and information owners who are responsible for access to data, which is often the ultimate target of an intrusion. Policies should define how and when access is granted, establish programs to track all access, and actively manage that access so that privileges are revoked when they’re no longer needed.
Furthermore, organizations must actively protect and monitor for all types of privileged credentials. The CyberArk Privileged Account Security Solution allows organizations to protect credentials, manage accounts and monitor activity by privileged users. When integrated with enterprise directories or identity and access management solutions, privileged access can automatically be terminated when users leave. Continuous monitoring can help spot the creation of backdoors or other suspect activity while the accounts are active.
With a comprehensive program in place – one that aligns policies, practices and technology – organizations can ensure that all access to privileged accounted are secured and managed.
