Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Ex-employees Have “Easy” Access to Corporate Data: Survey

Basic security hygiene dictates login credentials should never be shared. But a new survey from Centrify shows the practice is prevalent and poorly managed.

Basic security hygiene dictates login credentials should never be shared. But a new survey from Centrify shows the practice is prevalent and poorly managed.

A little over half of United States-based IT leaders and a third United Kingdom-based leaders believe it would be “easy” for an ex-employee to log in and access systems or information with old passwords, Centrify found in its recent State of the Corporate Perimeter survey. Even though half of the respondents said ex-employees and contractors are “off-boarded” the day they are terminated, but it can take up to a week or more to completely remove access rights and passwords to sensitive data for those individuals.

That is a long enough time for these individuals to log back in and either steal data or sabotage systems. A few years ago, a system administrator who retaliated against the company for firing him by remotely logging in and wiping all the data off systems. And that isn’t a solo incident.

What is even more worrying is how freely access to privileged accounts for applications, systems, and network devices are being shared. The survey found 40 percent of U.K. IT leaders working for companies with over 500 employees said more than 10 percent of their staff have privileged access to data. The number jumps to 50 percent for companies with less than 500 employees, Centrify said. That’s a lot of people, and it’s unlikely they all need access to confidential and highly sensitive information.

“Giving employees elevated access to privileged accounts and the organization’s most critical data, applications systems and network devices is essentially giving them the ‘keys to the kingdom’. It’s the equivalent of providing the front door key to your house – and you’d be very, very careful who you gave that to,” said Barry Scott, CTO EMEA at Centrify.

This also fits with the security headlines. Remember that the Office of Personnel Management had many users logging in as root, and several of the people accessing the systems were not properly vetted.

Three-quarters of IT leaders in the U.S. and more than half in the U.K. said their organizations “need to do a better job” of monitoring who has access to sensitive information. Organizations are not doing a very good job of tracking who has access to key data, the survey suggested. And that includes tracking ex-employees, contractors, and other partners. About 62 percent of U.S. IT leaders believe their organization has too many privileged users.

The sharing is widespread, as 59 percent of U.S.-based respondents said they’ve shared key access with unvetted employees “at least somewhat often,” and 52 percent in the U.S. said they’ve done the same with outside contractors. The numbers were a little more reassuring with the U.K. group, at 34 percent and 32 percent, respectively. But it’s still not a good sign.

Of those two groups, 82 percent of the U.S. IT leaders and 68 percent of U.K. leaders said “it would be somewhat easy” for those individuals to gain access to key pieces of data.

Half of the 400 IT decision makers who participated in the survey were based in the United States and the other half from the United Kingdom. While there were some regional differences, the overall pattern was consistent across both groups. For example, 55 percent of IT leaders in the U.S. and 45 percent in the U.K. said their organizations have suffered a data breach. Those breaches cost the companies involved millions of dollars in damages, Centrify said.

Privileged access is part of identity management. While 92 percent of organizations in the US currently have some form of user monitoring in place, only 56 percent have privileged identity management. Nearly a third of those companies don’t have dedicated personnel auditing how those privileged accounts are being used on a weekly basis. A little over half update passwords on a regular basis.

“It’s surprising that experienced IT decision makers like this are admitting that their organizations need to do a better job of monitoring who has access to their data, despite high profile incidents like Sony, JP Morgan and Target and the knowledge that breaches can potentially cost them millions of pounds,” Scott said.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...