Insider threat levels from ex-staffers greater than expected

A third of of ex-employees have access to company data and 9 percent have used their access privileges, says new research.

Insider threat levels from ex-staffers greater than expected
Insider threat levels from ex-staffers greater than expected

Research just published suggests that around a third (36 percent) of staff still have access to company data and/or systems after they have left their employer, raising fears that the `insider threat' issue - which has been discussed as a security risk for many years - may be lot larger than was previously thought.

Perhaps of greater concern is that fact that nine percent of the 2,000 desk workers in the US and the UK whose responses were polled, said they had actually used their access/data rights after they had left their employer.

The report - entitled `From Brutus to Snowden: a study of insider threat personas' - suggests that organisations are neglecting to use post-termination processes, allowing ex-staffers continued access to systems and data after they have left the company.

On top of this, notes the research, younger employees (58 percent of 16 to 24 year olds and 48 percent of 25-34) said they were aware their access rights had not been revoked. This percentile decreases for older age groups, averaging just 21 percent for those aged over 55, which IS Decisions - the company that carried out the analysis - says could be attributed to younger age groups moving jobs more frequently, but does suggest that the issue is a growing one.

Delving into the report reveals that 46 percent of HR and recruitment - as well as IT, arts and culture - employers were slack at revoking access to IT systems.

François Amigorena, CEO of IS Decisions, said that, “as the number of disparate systems and networks we use in our every day working lives increases, it's natural that access management is becoming a more difficult problem to address for organisations."

“The fact is though, that an ex-employee is more likely to have incentive than anyone to put this access to malicious use. 

"Former employees are probably the greatest insider threat, yet they are the easiest to address - just make changing passwords and deactivating accounts a part of the termination process. Yet businesses are failing to do this, and worse still businesses in the industries you would most expect this to be standard procedure, IT and HR, are failing even more than the rest," he explained.

The report makes five main recommendations, including better education on security among management; restricting concurrent access to systems; considering harsh penalties for transgressions; restricting network access to departments at certain times; and making the process of securely delegating work (and access to systems) a lot easier.

The report also concludes that senior staff need to sharpen their security on passwords, which managers tend to share too often.

"The findings in this report about people's password sharing habits are concerning, especially given that the younger generation who are supposedly more tech savvy are in fact far more blasé about it. By educating your users about these dangers, along with using technology to apply the appropriate restrictions, you can mitigate these risks within your business," the analysis notes.

Commenting on the research findings, Steve Smith, managing director with Pentura, the security consultancy, said that an effective DLP (data leak prevention) strategy has to cover not only types of data and where it is stored, but also which employees have permission to access it - from new joiners to contractors and those leaving the company.

"As part of this organisations need to conduct regular audits to maintain best practice, and where applicable, revoke employee access. The potential risks that organisations expose themselves to by not considering employee permissions and access points can't be understated – and neglecting to deploy vigilant post-termination processes can leave companies wide open," he said.

Professor John Walker, a visiting professor at the School of Computing and Informatics with Nottingham Trent University, said he used to think that the issue of insider threats from ex-employees accessing company data was over-hyped until a couple of years ago, when he became aware of two security incidents.

The first involved a financial firm whose staff in the field faxed in their report sheets every evening, and cleaning staff then came in overnight - gaining access to the communications room for cleaning purposes.

"In another example, the firm had an Indian call centre and criminals managed to persuade staff there to allow them access to systems. The problem with Indian call centres is that, once the criminals have access, they rarely let go. They are in for good - there is no escape for the staff concerned," he explained.

Against this backdrop, Walker advises that organisations also need to look at the data and system access privileges of lowly paid staff, such as cleaners, and use suitable electronic and physical security to limit access to critical or confidential company data.