Organizations are typically very committed to removing an ex-employee from payroll systems when their employment has ended. No company wants to accidentally give money away to someone who no longer works there. Yet, we rarely see the same efficiency when it comes to de-provisioning that ex-employee from network systems, applications, and all other IT resources. Orphaned accounts can go unnoticed for weeks, months, and sometimes even years.
Why?
Businesses tend to overlook potential expenses that aren’t as tangible or situations where the expense amount is cloudy. If an employee isn’t removed from payroll, you know they’re going to receive a specific amount of money for the next scheduled pay period. However, if that same employee isn’t de-provisioned in a timely manner and maintains their access, this presents a number of risks to the organization, including data theft or a cyber attack executed through one of those open, orphaned accounts. The potential expense, which we should probably just call a loss, is unknown, but could run much higher than an employee’s salary for a single pay period. When you factor in lawsuits, the costs of security technology and consulting, and stolen IP and the years of research that went into it, you could be looking at a multi million dollar expense.
De-provisioning from business critical systems and data needs to become a much higher priority for all organizations. It’s both a security issue and financial issue that should be viewed with equal importance as removing an employee from a single payroll system.
Two key stats indicate the risks companies face when using manual processes instead of automating their de-provisioning:
Automated de-provisioning prevents former employees from taking data with them. When you automate all de-provisioning tasks, you’re effectively closing the door on employees retaining access to corporate data. They don’t even have the option of taking any with them.
In a non-automated scenario, when an employee leaves the organization, IT must be notified by someone, typically HR or the employee’s former manager. At that point, they can manually handle de-provisioning. However, there tends to be a delay in that notification, and in some instances, it may never even occur.
Another challenge with manual de-provisioning is that accounts can sometimes be forgotten. If IT is interrupted in the middle of the de-provisioning process, the person handling it may forget to come back to it after de-provisioning only 5 of 9 accounts. That leaves four access points still open. If all accounts aren’t connected, this is a very real possibility.
By automating the de-provisioning process, the possibility of human error is completely taken out of the picture. When an employee is removed from Active Directory, typically the first step taken after someone leaves the company, they are automatically de-provisioned from all other connected accounts. That’s it - nothing left to do. Simple, quick, and efficient.
While automation is a great asset, there are other considerations to take into account with de-provisioning. IT must work with company leadership to make decisions about the fate of some accounts. Of course the access of the ex-employee is eliminated, but should accounts be terminated altogether? Here are some of those considerations:
When an employee leaves your company, even on good terms, it should be correctly viewed as a vulnerability. That individual is no longer an employee and no longer needs access to any of your systems or applications. We must start applying the same level of efficiency and scrutiny to de-provisioning that we do to payroll and provisioning. Start looking at de-provisioning as the risk reducer it is when handled properly.
Other blog posts that might interest you: