When your company parts ways with employees, are you able to immediately terminate all access to corporate data? If not, you’re opening the organization up to a very real danger.
Consider the fact that 87 percent of employees who leave a job admit to taking with them data they created, such as corporate presentations and strategy documents. An astonishing 28 percent say they’ve taken data that other people created.
And perhaps most telling: 90 percent admitted that the main reason for the data theft upon departure lay in the opportunity—their employer didn’t have the policies or technology in place to prevent them from doing it.
These statistics are proof that companies need to safeguard their information from ex-employees—from the moment they quit or are fired.
A Dangerous Oversight
A recent survey found that nearly half of all companies didn’t feel confident that they were effectively blocking former employees’ access to their systems. However, not securing data and systems from ex-employees creates an opportunity for data theft, which can harm a company’s competitive position and have a direct negative impact on revenue. Data theft also puts you at risk of regulatory violation for failing to protect sensitive customer information.
In most companies, this oversight occurs because deprovisioning involves multiple departments, such as HR and IT. When an employee is fired, HR must notify IT to access each system and cut the employee’s access, but this tedious process takes time—if it occurs at all. Research indicates that 24 percent of a typical organization’s employees leave each year, so a lack of a structured deprovisioning process can quickly become dangerous.
With the threat of data theft in mind, companies must effectively manage employee access by establishing thorough policies and procedures that protect data and implement technology solutions that prevent employees from stealing information when they leave.
Eliminating Human Error
One of the key challenges of deprovisioning is creating an access management system in which nothing falls through the cracks. Immediately disabling an ex-employee’s access to information systems is a great first step. However, when employees leave an organization—especially en masse, such as after the holiday season—the scene can be chaotic.
If HR or IT has to manually deprovision each employee, they may overlook certain downstream systems or employees or take too long to complete the task. The State Department is a prime example of deprovisioning gone wrong; a recent report found that the agency had more than 2,600 “zombie” email accounts for users who had been inactive for more than a year.
These all-too-common mistakes illustrate how human error—as well as forgetfulness, laziness, and sheer busyness—can render even the best deprovisioning policies moot. That is why it’s vital that organizations automate the deprovisioning process to remove the possibility of human error.
IAM: An Automated Approach to Offboarding
A centralized identity and access management (IAM) system provides full visibility into the comings and goings of employees, while also automating the deprovisioning process to immediately cut all data access when a worker is fired or quits. So, not only is an account immediately disabled in the central IAM system, but all appropriate disables, deletes, archives, suspends, etc. would take place in all target systems as well per the policies defined for each. The moment someone leaves, access to all corporate systems is automatically revoked, without needing manual changes or data entry.
Another benefit lies in the power of delegation. With IAM systems, administrators can delegate deprovisioning functions to non-IT employees, such as group managers or HR associates. This empowers the person who is actually responsible for offboarding an employee to ensure that access privileges are handled appropriately.
IAM also ensures that at least two-factor authentication is in place when accessing sensitive content. When an employee leaves, the system automatically deprovisions his or her access to the authentication systems, further preventing the possibility of unauthorized access to sensitive systems.
Assess Your Organization
Is your organization doing enough to prevent ex-employees from accessing your systems and data? If you’re not sure, start by asking yourself the following questions:
- What happens to an ex-employee’s documents, emails, and files?
- What happens to the ex-employee’s email account?
- What if another employee, or even law enforcement, needs to temporarily access the ex-employee’s accounts?
- What happens to the ex-employee's sponsored accounts?
- What happens if the ex-employee is an entitlement owner or an approver for other employees’ entitlement requests?
- How do you handle exceptions to access removal?
If you can’t easily answer these questions, it’s time to consider augmenting or upgrading your IAM system to enable immediate and automated deprovisioning.
In the process, take the opportunity to learn more about what you’re up against in our e-book, The 3 Types of Rogue Employees—and How to Stop Them. Learn how to identify rogue employees and the threat they pose for your organization, as well as how IAM solutions help protect against these often-underestimated risks.