The curse of the ex-employee - A horror story
The curse of the ex-employee - A horror story

Businesses are constantly on the lookout for talented staff to help improve every aspect of the day to day running of a company. Staff are often considered the heartbeat of an organisation and are innately integral to a business's success. But it is inevitable that some staff will eventually leave. Ideally, the departing staff member will leave on good terms with no ill feelings for their, soon to be, ex-employer. Of course, this is not always the case and things can be complicated. Businesses need to be doing everything possible to make sure ex-employees do not leave with access to business-critical information.

Don't rely on loyalty

We have all seen the hugely damaging actions that former employees can inflict upon businesses. One such example is a huge data breach experienced by OFCOM[1], when it discovered that a former employee had downloaded and shared over six years' worth of data with their new employer, which happened to be a major broadcaster. Luckily for OFCOM, the broadcaster in question chose not to exploit the data and alerted OFCOM to the stolen information. Shockingly, the latest research from OneLogin shows that despite the threat of former employees, more than half (58 percent) still have access to the corporate network once they have left an organisation and almost a quarter of businesses (24 percent) experience data breaches due to the action of ex-employees. The OFCOM data breach could have been catastrophic if it had have been used by a competitor, not to mention the potential damage to brand reputation. Similarly, businesses must also consider that when the European Union's General Data Protection Regulation (GDPR) comes into effect in 2018, UK firms could face a penalty of up to four percent of their annual worldwide revenue, or €20 million, whichever is higher[2], enough to leave an organisation with financial difficulties. Of course, there are scenarios where organisations have not been as lucky as OFCOM.


In fact, Marriott Hotels experienced the full force of a disgruntled former employee in 2016. According to court documents[3], a former Marriott employee was fired from the company in August 2016, and was told not to access the company's internal systems. However, despite this warning, the former employee accessed Marriott's reservation system from the comfort of their home, slashing room rates down from £118 to £772 down to £9 to £44. This particular breach cost Marriott more than £37,000. Mariott, however, isn't the only organisation to have left themselves open to disgruntled ex-employees. In fact, 28 percent of former employee's accounts remain active for longer than a month.

Cross departmental collaboration is key

A former employees' word is not enough. HR and IT must work together to avoid situations such as this and it doesn't have to be difficult or time intensive. Automated processes can be used to deprovision all access to corporate accounts within minutes of an employee's contract being terminated to protect valuable corporate data. There are tools available to ensure that once an employee has logged off for the final time they are locked out from that moment onwards. OneLogin's research revealed that only half of UK businesses use automated de-provisioning technology to ensure this happens. In addition, 45 percent of businesses don't use a Security and Information Manager (SIEM) to check for application use by former employees, leaving vital corporate data exposed to potential leaks. Businesses revoke a former employees' means of physically getting into the office, so it is essential that their digital access is also revoked on departure.

Understand the issue and deal with it

It is crucial that businesses wake up and acknowledge that former employees exploiting corporate access is a problem and yes, it could happen to any company. It is clearly not enough to rely on the goodwill of ex-employees, however trustworthy they may appear to be. With so much at stake, are organisations really willing to leave the key to the business' most precious assets in their hands? Quite frankly, there is no reason to.

Some employees leaving an organisation don't have many loyalties to their previous employer, no matter how amicable their departure was, meaning security risks are highly likely. Therefore, it is imperative that deprovisioning employees' corporate access on their last day is an absolute priority. Companies need to use the right tools to ensure this happens. These include:

  • Automated syncing of HR directories such as Workday, UltiPro, and Namely, which are the source of truth for employee status, and IT directories such as Active Directory and LDAP, which often control access to applications.
  • Automated deprovisioning of employees from applications that have an application programming interface (API) for user management. Most “birthright” applications that are widely used in companies, such as Office365 and G Suite, have these APIs.
  • Automatic checklist generation for IT admins, to ensure that they manually deprovision all ex-employees from all apps. Most applications don't yet have an automated deprovisioning API and require manual intervention from IT.
  • Application access events sent to SIEM systems, to double-check that no ex-employees are accessing applications.

It is crucial that departments, such as IT and HR, work collaboratively to deal with the curse of the ex-employee. If organisations follow the steps outlined above, they can be assured that the only thing an ex-employee will be leaving with is their P45, not confidential corporate data.  


Contributed by Alvaro Hoyos, CISO at OneLogin

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.