When You Took Their Keys Back, Did You Cancel Their Passwords, Too?
This blog gets at a really important topic for businesses, especially smaller businesses that don’t have a lot of extra resources for dealing with IT admin. Using a centralised access control system to make sure your systems aren’t accessible by people who have left your company is really important to overall security.
The last time an employee left your business, did you revoke their access to your IT systems? Are you sure? Do you have a way to check?
What kind of information could your former employees get if they still hold valid credentials (even though they no longer work there)? Depending on your business, the answer could include client data, proprietary research, or your financial information.
A former employee could use un-revoked credentials to view or download information that might help their new employer lure clients away from you or steal your ideas, which could be very bad for your bottom line. An employee who left angrily (perhaps because they were fired) could be even more dangerous, and might use their login to implant ransomware, viruses, or other malware.
Even if the departed employee would never do anything to harm you themselves, if their computer or records were compromised, someone else could get those same credentials—and that individual might not be so well-meaning.
In a recent survey of 500 IT decision makers from security firm OneLogin, some 20% of organisations say they have experienced data breaches by ex-employees. Further, 48% of organisations said they are aware that former employees still have access to corporate
network due to the lengthy process and inconvenience of changing all the company passwords.. Ex employees are more of a risk than cyber criminals trying to hack your network!
Protect yourself with centralized access control
There are a number of ways to help make sure your business isn’t exposed to malicious password use after an employee leaves, and they all fall under the umbrella of “access control”: controlling who can view and change what, when and how.
Good access control starts with company policy. It should be part of your HR offboarding routine to cancel an outgoing employee’s credentials the same way you delete their door code and take back their keys.
That said, when it comes to passwords, revoking credentials manually can be time consuming, depending on how many systems a person had access to and how many unique passwords they used. Manual revocation is also subject to human error: it’s easy to forget a system or miss a step such that an account you thought was closed remains open.
The safer option is to establish a centralized password management and access control system that gives you complete visibility into the use of all your systems, and a single point to activate or revoke permissions. At a glance, you’ll be able to see who has credentials to what systems, and when an employee leaves your company, you can instantly revoke their privileges for anything on your network.
With good access control procedures, you can be more confident in the overall security of your data and systems.
If you have questions about access control and what might be right for your business, we’d be happy to talk them over with you. And keep an eye out for my next blog on how to make sure your password approach is compliant with laws and regulations.