Most Singapore firms unsure if old employee accounts properly removed

Only 7 percent of professionals responsible for IT security in Singapore say they remove user access immediately after a change in employment status.

In addition, just 4 percent were confident they had no dormant accounts in their network, according to an online survey conducted by Dimensional Research and commissioned by Quest Software's One Identity. The study polled 100 respondents in Singapore, who were part of a global survey that encompassed 913 professionals with IT security responsibilities across eight markets, including Australia, Hong Kong, and Germany.

And while 39 percent in Singapore said they were "very confident" they knew which dormant user accounts existed within the network, 93 percent acknowledged it would take at least a month to identify these accounts. In comparison, 84 percent across all global markets said it would take a month or longer to do the same.

Another 81 percent in Singapore lacked confidence that accounts of former employees, as well as employees who had changed roles, had been fully deactivated or changed in a timely fashion, compared to 70 percent globally.

Some 25 percent were "very confident" user rights and permissions were correctly allocated according to their roles, the study revealed. Not surprisingly, 88 percent expressed concerns about risks presented by dormant accounts.

While 99 percent had processes in place to identify dormant users, only 22 percent were provided tools to help them find these accounts. Just 5 percent in the country performed audits of employee roles more than once a month.

Lennie Tan, One Identity's Asia-Pacific Japan vice president and general manage, said: "The alarming results of our study prove that organisations in Singapore are exposing unsecured identities and creating security holes for hackers to exploit. Those that don't adopt stronger defenses and innovative solutions to mitigate the growing risk more quickly, might face serious consequences including reputation and financial loss."

The identity management vendor said one of the easiest ways to gain access into corporate IT networks was by stealing user credentials, such as user names and passwords. This then would enable malicious hackers to further access other critical data including customers' personally identifiable information (PII) and financial records.

"The more time inactive accounts are available to bad actors, the more damage can potentially be done including data loss, theft, and [data] leakage, which could end up in irreparable damage to reputations, compliance violations, as well as possibly large fines and a significant drop in stock valuation," One Identity said.

In its annual audit report released earlier this year, Singapore's Auditor-General's Office (AGO) uncovered numerous lapses involving how local government ministries and agencies managed their IT systems. These included unapproved administrative changes, unauthorised third-party access, and failure to remove former employee accounts.

The Central Provident Fund Board, for example, failed to promptly remove 14 user accounts after employees had left the board, including six that were used after the staff's last working day. Similar lapses were found at NParks, which did not remove access rights of 104 suspended user accounts after the employees had left the organisations, some as far back as a decade ago.

Hong Kong, Australia face similar challenges

According to the One Identity survey, findings in Hong Kong and Australia were similar to Singapore's.

Just 10 percent of respondents in Hong Kong were confident there were no dormant accounts in their corporate network, while 16 per cent said they immediately removed user access after a change in employment status.

Some 63 percent lacked confident that accounts of former employees were fully deactivated in a timely fashion, while 88 percent said it took at least a month to identify dormant accounts. Another 79 percent were concerned about risks posed by dormant accounts, though, just 7 percent said roles were audited more than once a month.

And while 96 percent had processes in place to identify dormant users, only 14 percent had tools to help them do so.

Over in Australia, 82 percent of respondents said it would take at least a month to identify dormant user accounts, while 66 percent lacked confidence accounts of former employees were fully deactivated in a timely fashion.

Just 8 percent said they immediately removed user access upon a change in employment status, and 19 percent were "very confident" user rights and permissions were correctly assigned to the employee's roles.

While 92 percent had processes to identify dormant users, 29 percent had tools to help them find such accounts. In addition, just 9 percent were confident there were no dormant user accounts within their corporate network. Twenty percent were "very confident" they knew which dormant user accounts existed, while 56 percent expressed concerns about the risk posed by such accounts.

Just 10 percent in Australia conducted audits of employee roles more than once a month.