News

Many Enterprises Don’t Shut Off Access When Employees Depart, Study Finds

Shifts in employment show disparity between access policies and actual practice

• By James E. Powell
• 04/09/2009

Given the fast-changing employment environment, enterprise executives may be surprised to learn that most firms still rely on “outdated security procedures” according to a March survey of U.S. security professionals. In fact, nearly one in eight (14 percent) former employees still can access proprietary data.

Such deficiencies are just one of the revelations of a survey of over 12,500 security industry professionals in the U.S. conducted by Cloakware, a data center security firm. Three-fourths of respondents work at companies with at least 1,000 employees. “A simple calculation based on respondents’ replies reveals that a minimum of 1,312,500 employees still have access to company systems after they have left the organization.”

To cut costs, many companies (including 90 percent of respondents) permit employees to work off site but don’t have security controls that match this environment. According to the survey, more than four in ten (41 percent) report using more virtual workers in the past year. Despite this trend, many companies still use basic passwords and a single new-employee set-up procedure that can easily introduce vulnerabilities.

Compounding the problem, Cloakware reports, is that “remote access is often managed by multiple internal groups within a company, resulting in 21 percent of responding companies admitting that they hadn’t even changed employees’ passwords after they were terminated.” This may also explain another survey finding: the department responsible for removing access when an employee leaves the firm may not be IT. “Two-thirds of the time, IT departments are tasked with this responsibility, but many companies delegate it to human resources and direct managers, often revealing a disconnect that leaves companies vulnerable to malicious former employee attacks.”

Survey participants confess to not being vigilant with managing access of current employees. Of the three-quarters of respondents who said their companies have policies that require password changes, 31 percent require monthly changes and 69 require quarterly changes. However, one in five firms enforces their policy with automated password update software.

“With companies facing dwindling margins, reducing overhead costs is driving a change in employee work arrangements, but it also reveals weak protection practices -- critical issue for long-term security,” said David Canellos, president and chief operating officer of Cloakware, in a statement. “Simply put, insufficient security and access management practices can be detrimental to a company’s business, and companies are only beginning to realize the need for more stringent standards to govern access to their critical information and protect their crucial company assets.”

Given the fast-changing employment environment, enterprise executives may be surprised to learn that most firms still rely on “outdated security procedures” according to a March survey of U.S. security professionals. In fact, nearly one in eight (14 percent) former employees still can access proprietary data.

Such deficiencies are just one of the revelations of a survey of over 12,500 security industry professionals in the U.S. conducted by Cloakware, a data center security firm. Three-fourths of respondents work at companies with at least 1,000 employees. “A simple calculation based on respondents’ replies reveals that a minimum of 1,312,500 employees still have access to company systems after they have left the organization.”

To cut costs, many companies (including 90 percent of respondents) permit employees to work off site but don’t have security controls that match this environment. According to the survey, more than four in ten (41 percent) report using more virtual workers in the past year. Despite this trend, many companies still use basic passwords and a single new-employee set-up procedure that can easily introduce vulnerabilities.

Compounding the problem, Cloakware reports, is that “remote access is often managed by multiple internal groups within a company, resulting in 21 percent of responding companies admitting that they hadn’t even changed employees’ passwords after they were terminated.” This may also explain another survey finding: the department responsible for removing access when an employee leaves the firm may not be IT. “Two-thirds of the time, IT departments are tasked with this responsibility, but many companies delegate it to human resources and direct managers, often revealing a disconnect that leaves companies vulnerable to malicious former employee attacks.”

Firms even confess to not being vigilant with managing access of current employees. Of the three-quarters of respondents who said their companies have policies that require password changes, 31 percent require monthly changes and 69 require quarterly changes. However, one in five firms enforces their policy with automated password update software.

“With companies facing dwindling margins, reducing overhead costs is driving a change in employee work arrangements, but it also reveals weak protection practices -- critical issue for long-term security,” said David Canellos, president and chief operating officer of Cloakware, in a statement. “Simply put, insufficient security and access management practices can be detrimental to a company’s business, and companies are only beginning to realize the need for more stringent standards to govern access to their critical information and protect their crucial company assets.”