Mitigating the IT Risks Your Company Faces During Employee Turnover
According to the Cost of a Data Breach Study by IBM and Ponemon, the global average cost for data breaches was $3.6 million. This amounted to an average of $141 per record.
Although insider threats are often thought of as being the biggest risk, employees who have recently quit or been terminated may pose an even bigger one. What type of dangers could your company be facing, and what can you do to mitigate them? Here is some information you need to know.
There could be some serious consequences involved with data breaches. A few possibilities include:
- A loss in Personally Identifiable Information (PII) or Protected Health Information (PHI)
- Damage to your company or brand’s reputation
- Compromised financial information or IT security data
- A loss of trade secrets or intellectual property
- Reduced revenue
- Electronic vandalism, which involves changing your website or digital documents without your permission
Prevalence of Data Breaches
Just how common are data breaches by former employees? TechRepublic recently reported on a survey performed by the security firm OneLogin. In that survey, approximately 20% of all businesses claimed they had experienced a data breach from a former employee.
In most cases, data breaches occur when workers continue to have access even after they are no longer employed by a company. While it may seem obvious that you would need to terminate someone’s access right away, the fact is that many businesses do not. The OneLogin survey also noted that nearly half of all organizations stated they were aware that former employees continued to have access to their network.
The amount of time it takes to eliminate access can vary greatly. Of those surveyed:
- 32% claimed that an account would remain active for one week
- 20% stated it would take more than one month to delete access
- 25% reported they had no idea how long a former employee’s account would remain active
The longer a former associate’s account remains open, the greater the odds that he or she will act inappropriately. As analyst Merritt Maxim notes “Removing ex-employees’ access to systems is a critical step to mitigate risks of future data breaches or other security incidents. ” He further went on to say that “It’s just good security hygiene.”
Higher Risk from Previous Employees
In any organization, there is always some degree of risk involved. However, the dangers become even more profound when you have a disgruntled former employee who has decided to “get even.” In fact, former associates are sometimes more apt to perform illicit acts because they believe they have nothing to lose. Even when people leave on good terms, they can sometimes be motivated by greed, such as when a competitor solicits them for information.
Steve Durbin, the managing director of the Information Security Forum, put it like this:
“Employees who pass preliminary vetting and background checks may now—or in the future—face any number of circumstances that entice them to break that trust: pressure through intimidation; being passed over for promotion, extortion or blackmail, offers of large amounts of money or simply a change in personal conditions.”
So no matter how well you think you know someone, you can never be quite sure what he or she will do once they are no longer employed by you. This is especially true if an individual feels slighted and believes the only way to make things right is to enact revenge.
Time Consuming Process
If companies are aware of the risks, why don’t they take a person’s access away sooner? The answer often comes down to time. Deleting all accounts and permissions can sometimes take hours, especially if a business does not have a streamlined process for doing so.
Another issue has to do with communication. Some organizations may use dozens of applications, and therefore do not have a complete picture of all the ones a particular individual was using. As a result, IT departments may de-provision certain ones while leaving others open. For example, a person might lose access to computer software, yet still be able to utilize email or remotely log into company-issued laptops they have not yet returned.
Data Security Policy
The threats posed by former employees are very real, which is why you should have a plan in place to mitigate your risks. One way of doing that is to develop a data security policy that will address the steps your IT department will take whenever someone quits or becomes terminated. Some things to include in a data security policy are:
- The need to change passwords often, along with strong password requirements that include a combination of letters, numbers, and symbols.
- Keeping data transfers to a minimum. Use the cloud whenever possible to avoid moving data from one device to another. Doing so will also prevent employees from carrying storage devices home with them.
- Backing up data on a regular basis. That way, you can keep information loss to a minimum should a disgruntled former employee start deleting or altering things.
- Implementing technology that will warn you of any breaches in your firewall.
- Encrypting sensitive data.
- Automated permissions removal that takes place as soon as someone leaves your company.
- Communication requirements with HR personnel so that the IT department becomes aware of terminations as quickly as possible.
Having a single sign-on policy can be advantageous as well. With a single sign-on system, you can delete access to all systems that an employee uses without having to deactivate each one individually. Not only will this reduce the amount of time it takes to off-board someone, but it also prevent certain accounts from inadvertently slipping through the cracks.
Consider Managed IT
Managed IT services can help you mitigate any potential risks that might occur between the instant an individual leaves his or her employment and the time when permissions are removed. In today’s digital age, they are a must for any business who is concerned with a significant data breach or loss.
Here at BWS Technologies, we provide a number of IT services ranging from virus removal to backup and recovery. Don’t wait until you have experienced a data breach to partner with us. Contact us today to find out how we can help you protect your business.