Chris Sullivan, VP advanced solutions, Courion
Chris Sullivan, VP advanced solutions, Courion

As another academic year comes to an end, many graduates are preparing themselves for a busy three months ahead as an intern. It is estimated that there are about 100,000 internships in the UK every year, and a significant amount of these will take place over the summer period. No doubt every intern has undertaken certain preparations to ensure they make a big impression with their new employers. However, it's equally as important that that businesses and organisations alike are preparing themselves for the IT and security challenges that temporary employees can pose.

Unpaid internships have particularly been a hot topic for the UK's political leaders during the recent election, and businesses are becoming increasingly aware of how important it is for any industry to treat interns responsibly. This includes paying a fair wage and making sure they are doing work that's meaningful and adds value to the business. A lot of these changes are also about making internships a formal part an organisation's talent recruitment process, as it becomes much more professionalised and less about who you know on the inside. Similarly businesses also need to make sure the incoming wave of summer interns doesn't leave the firm with an access risk headache.

Ensuring that an intern's contribution to the company is meaningful requires them to have access to the company database and a certain level of information, and as we all well know this access needs to be governed and managed accordingly for security reasons. While there's nothing inherently risky with employing interns, it is critical that the provisioning and later de-provisioning of ID and access privileges is processed correctly.

So what is the risk?                                                                                       

As with any temporary members of staff, it can be easy to forget about an intern's user account once they leave the company. Especially when you consider that waves upon waves of interns may come and go within a business, working for just a few months or so at a time, it can be difficult to keep track of all the user accounts they generate. However, once these interns leave, they also leave behind a pile of abandoned access accounts that are still live. The risk is even greater when the intern is given privileged access rights to work alongside a senior manager on a special project. The problem here isn't the intern themselves, but how too often companies neglect to terminate the accounts used by interns when summer ends.

What makes things even more problematic for a business is that abandoned accounts aren't revealed during the typical periodic audit that their IT department might conduct. The serious threat from these accounts is that they often remain unnoticed for long periods of time and can be used by hackers as an easy entry point in a data breach. Of course, some ex-interns may misuse these old access rights for their own personal gains.

Based on evaluations of access risk conducted by Courion at more than twenty major corporations, organisations often have not just a few, but thousands of abandoned accounts. Once you also consider that a recent PwC report estimates a cyber-attack can costs companies an average of £1.46 million, adopting a good housekeeping strategy for user accounts may just save your business millions.

Eliminating the abandoned accounts associated with interns makes total sense, but CISOs need efficient and easy ways to prevent the problem happening in the first place and uncover them when they have been allowed to multiply. It is good identity and access housekeeping that can help here, facilitated by intern on and off-boarding processes that take account of access rights and privileges. Automating these as much as possible will be key to mitigating the human error that can arise, especially when interns are being managed over the summer months when teams can be more relaxed and less attentive to all the rules.

Contributed by Chris Sullivan, General Manager Intelligence and Analytics, Courion.