Companies spend a lot of time and energy ensuring their IT systems are secured against external cyber attacks. Unfortunately, many don’t realise they also need to consider threats that originate from within.
Disgruntled employees and trusted contractors can cause significant disruption to systems or steal sensitive company data, and the threat doesn’t end when they leave their jobs.
There are regular reports of companies suffering losses as a result of staff who are no longer employed but still have access to the corporate IT infrastructure.
Other examples include former employees who use their remote access abilities to download proprietary data and pass it to a competitor. In other cases former IT department employees have remotely accessed corporate systems and caused damage by changing configuration settings.
Typically, organisations have policies and procedures in place to change credentials and terminate access to systems and technology when an employee departs the company. The process should be the same whether the employee is in the IT department or not. How access is terminated depends upon the organisation and IT infrastructure.
When all access to various systems is managed in a single directory, such as Active Directory, the solution can be straightforward. Things get complicated when the infrastructure is more complex with a wide variety of systems, multiple directories, cloud-based applications, etc. If there isn’t a dedicated procedure for what to do in case of IT member termination, then there is a chance that some access may be left open.
Outdated accounts are typically left open until someone finds out (usually someone from the IT/Security team) and only then is the access terminated. Ideally, all privileged accounts are managed and monitored via a privileged account security solution, and all identities are verified using multi-factor authentication before access is granted.
The actions of malicious IT staff makes headlines, but keep in mind they are not the only ones with privilege. All access is a privilege and should be managed throughout the employment lifecycle, from on-boarding of the employee through termination.
Even employees outside the IT department with routine access privileges pose a risk (malicious or accidental) if those privileges are not managed carefully. Think about it – HR has access to employee information, sales has access to customer data, marketing has access to public facing communication channels etc.
The problem with access creep
Employee roles and responsibilities are often fluid, and workers tend to accumulate privileges over time. Jobs change and situations arise that require one-time access to resources. Passwords shared for one-time access often are not invalidated or changed after they are used.
Although managing credentials and securing access to data or systems is often considered to be an IT function, typically the permissions and privileges are granted by supervisors or account administrators who do not keep IT or the human resources department in the loop. Furthermore, employees may have access to systems that IT isn’t aware of, such as a file-sharing program, marketing database etc.
HR usually handles the administrative tasks of a termination and relies on IT to de-provision privileged access. But in many cases, neither has an authoritative list of all accounts, privileges and credentials accumulated over the course of employment. As a result, it is possible for employees to retain access to networks and resources after leaving an organisation, creating a new flavour of an insider threat.
Implement best practices
As with many aspects of security, comprehensive access management depends upon both policy and technology.
Because IT departments often do not authorise and assign all system access, a complete access management program has to extend beyond IT to all departments in the organisation. This includes all supervisors and managers who grant access to systems or information to their direct reports, and information owners who are responsible for access to data, which is often the ultimate target of an intrusion. Policies should define how and when access is granted, establish programs to track all access, and actively manage that access so that privileges are revoked when they’re no longer needed.
Furthermore, organisations must actively protect and monitor for all types of privileged credentials. Look for a solution which allows you to protect credentials, manage accounts and monitor activity by privileged users. When integrated with enterprise directories or identity and access management solutions, privileged access can automatically be terminated when users leave. Continuous monitoring can help spot the creation of backdoors or other suspect activity while the accounts are active.
Such an approach will ensure that only those who should have access to core systems and data actually do. The result is a much more secure IT infrastructure and a significant reduction in business risk.