Organizations are typically very committed to removing an ex-employee from payroll systems when their employment has ended. No company wants to accidentally give money away to someone who no longer works there. Yet, we rarely see the same efficiency when it comes to de-provisioning that ex-employee from network systems, applications, and all other IT resources. Orphaned accounts can go unnoticed for weeks, months, and sometimes even years.
Businesses tend to overlook potential expenses that aren’t as tangible or situations where the expense amount is cloudy. If an employee isn’t removed from payroll, you know they’re going to receive a specific amount of money for the next scheduled pay period. However, if that same employee isn’t de-provisioned in a timely manner and maintains their access, this presents a number of risks to the organization, including data theft or a cyber attack executed through one of those open, orphaned accounts. The potential expense, which we should probably just call a loss, is unknown, but could run much higher than an employee’s salary for a single pay period. When you factor in lawsuits, the costs of security technology and consulting, and stolen IP and the years of research that went into it, you could be looking at a multi million dollar expense.
De-provisioning from business critical systems and data needs to become a much higher priority for all organizations. It’s both a security issue and financial issue that should be viewed with equal importance as removing an employee from a single payroll system.
The Value of Automation
Two key stats indicate the risks companies face when using manual processes instead of automating their de-provisioning:
- 66% of workers say they retain access to corporate data after leaving their jobs.
- 25% of workers say they would take corporate data with them if they left their job. 60% of those know it’s against company policy.
Automated de-provisioning prevents former employees from taking data with them. When you automate all de-provisioning tasks, you’re effectively closing the door on employees retaining access to corporate data. They don’t even have the option of taking any with them.
In a non-automated scenario, when an employee leaves the organization, IT must be notified by someone, typically HR or the employee’s former manager. At that point, they can manually handle de-provisioning. However, there tends to be a delay in that notification, and in some instances, it may never even occur.
Another challenge with manual de-provisioning is that accounts can sometimes be forgotten. If IT is interrupted in the middle of the de-provisioning process, the person handling it may forget to come back to it after de-provisioning only 5 of 9 accounts. That leaves four access points still open. If all accounts aren’t connected, this is a very real possibility.
By automating the de-provisioning process, the possibility of human error is completely taken out of the picture. When an employee is removed from Active Directory, typically the first step taken after someone leaves the company, they are automatically de-provisioned from all other connected accounts. That’s it - nothing left to do. Simple, quick, and efficient.
Top Considerations for De-Provisioning
While automation is a great asset, there are other considerations to take into account with de-provisioning. IT must work with company leadership to make decisions about the fate of some accounts. Of course the access of the ex-employee is eliminated, but should accounts be terminated altogether? Here are some of those considerations:
- What happens to an ex-employee’s documents, emails, and files? Are they retained in a storage area with access given to those who need it? Are they all deleted? Is access given only when requested?
- What happens to the ex-employee’s email account? Does it remain open and active? Is email forwarded to another employee? Or is it closed, so that any sender receives a bounceback message?
- What if another employee, or even law enforcement, needs to temporarily access the ex-employee’s accounts? What’s the process and protocol? Can we temporarily delegate the ability to enable the account and track its use?
- What happens to the ex-employee's sponsored accounts? Who are their responsibilities moved to?
- What happens if they’re an entitlement owner or an approver for other employee’s entitlement requests? Who does that responsibility move to?
- What about exceptions to access removal? There are exceptions, such as with payroll self-service systems. Ex-employees still need to access pay stubs. All other access must be removed, but the primary account needs to remain open, with the only access possible being to paystubs.
When an employee leaves your company, even on good terms, it should be correctly viewed as a vulnerability. That individual is no longer an employee and no longer needs access to any of your systems or applications. We must start applying the same level of efficiency and scrutiny to de-provisioning that we do to payroll and provisioning. Start looking at de-provisioning as the risk reducer it is when handled properly.
Other blog posts that might interest you: