Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Ex-employees Have “Easy” Access to Corporate Data: Survey

Basic security hygiene dictates login credentials should never be shared. But a new survey from Centrify shows the practice is prevalent and poorly managed.

Basic security hygiene dictates login credentials should never be shared. But a new survey from Centrify shows the practice is prevalent and poorly managed.

A little over half of United States-based IT leaders and a third United Kingdom-based leaders believe it would be “easy” for an ex-employee to log in and access systems or information with old passwords, Centrify found in its recent State of the Corporate Perimeter survey. Even though half of the respondents said ex-employees and contractors are “off-boarded” the day they are terminated, but it can take up to a week or more to completely remove access rights and passwords to sensitive data for those individuals.

That is a long enough time for these individuals to log back in and either steal data or sabotage systems. A few years ago, a system administrator who retaliated against the company for firing him by remotely logging in and wiping all the data off systems. And that isn’t a solo incident.

What is even more worrying is how freely access to privileged accounts for applications, systems, and network devices are being shared. The survey found 40 percent of U.K. IT leaders working for companies with over 500 employees said more than 10 percent of their staff have privileged access to data. The number jumps to 50 percent for companies with less than 500 employees, Centrify said. That’s a lot of people, and it’s unlikely they all need access to confidential and highly sensitive information.

“Giving employees elevated access to privileged accounts and the organization’s most critical data, applications systems and network devices is essentially giving them the ‘keys to the kingdom’. It’s the equivalent of providing the front door key to your house – and you’d be very, very careful who you gave that to,” said Barry Scott, CTO EMEA at Centrify.

This also fits with the security headlines. Remember that the Office of Personnel Management had many users logging in as root, and several of the people accessing the systems were not properly vetted.

Three-quarters of IT leaders in the U.S. and more than half in the U.K. said their organizations “need to do a better job” of monitoring who has access to sensitive information. Organizations are not doing a very good job of tracking who has access to key data, the survey suggested. And that includes tracking ex-employees, contractors, and other partners. About 62 percent of U.S. IT leaders believe their organization has too many privileged users.

The sharing is widespread, as 59 percent of U.S.-based respondents said they’ve shared key access with unvetted employees “at least somewhat often,” and 52 percent in the U.S. said they’ve done the same with outside contractors. The numbers were a little more reassuring with the U.K. group, at 34 percent and 32 percent, respectively. But it’s still not a good sign.

Of those two groups, 82 percent of the U.S. IT leaders and 68 percent of U.K. leaders said “it would be somewhat easy” for those individuals to gain access to key pieces of data.

Half of the 400 IT decision makers who participated in the survey were based in the United States and the other half from the United Kingdom. While there were some regional differences, the overall pattern was consistent across both groups. For example, 55 percent of IT leaders in the U.S. and 45 percent in the U.K. said their organizations have suffered a data breach. Those breaches cost the companies involved millions of dollars in damages, Centrify said.

Privileged access is part of identity management. While 92 percent of organizations in the US currently have some form of user monitoring in place, only 56 percent have privileged identity management. Nearly a third of those companies don’t have dedicated personnel auditing how those privileged accounts are being used on a weekly basis. A little over half update passwords on a regular basis.

“It’s surprising that experienced IT decision makers like this are admitting that their organizations need to do a better job of monitoring who has access to their data, despite high profile incidents like Sony, JP Morgan and Target and the knowledge that breaches can potentially cost them millions of pounds,” Scott said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cybersecurity Funding

CommandK announced that it has raised $3 million in a seed funding round for a solution designed to help organizations secure sensitive data.