Are you wary of the insider on the outside?

Are you wary of the insider on the outside?

Summary: Whenever the risks from the inside threat are discussed, it's usually about the disgruntled/malicious employee within the firewall abusing permissions to steal data or plant malware in sensitive parts of the network.But, there's an insider on the outside that's often forgotten -- the ex-employee with access to user accounts (and default settings) that remain active after he/she has left the company.

SHARE:
TOPICS: Security
6

Whenever the risks from the inside threat are discussed, it's usually about the disgruntled/malicious employee within the firewall abusing permissions to steal data or plant malware in sensitive parts of the network.

But, there's an insider on the outside that's often forgotten -- the ex-employee with access to user accounts (and default settings) that remain active after he/she has left the company.

A survey from Symark International drives home the point:

The study revealed that 42 percent of businesses do not know how many orphaned accounts exist within their organization, and 30 percent of respondents said they have no procedure in place to locate orphaned accounts.

That's not a surprise at all. I've interviewed CIOs and CSOs for feature stories in the past about this issue and I'm always amazed at how few resources are allocated to deal with the insider on the outside. Too often, e-mail accounts of ex-employees are never disabled; default passwords for access to sensitive parts of an IT environment are never changed, leaving gaping holes through which valuable data can be stolen.

Other key findings from the survey include:

- Approximately 27 percent of respondents said that more than 20 orphaned accounts currently exist within their organization.

- More than 30 percent of respondents said it takes longer than three days to terminate an account after an employee or contractor leaves the company, while 12 percent said it takes longer than one month.

- More than 38 percent of respondents said that they had no way of determining whether a current or former employee used an orphaned account to access information, while 15 percent said that this has occurred at least once.

The big takeaway: Businesses must invest in and implement polices and technologies to ensure that user accounts are terminated swiftly as soon as the employee leaves the company. This is especially true for large, international enterprises managing locations across the globe.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Policy is step one

    Having good policies for employee termination are step one. Step two is for IT and non-IT personnel to partner up to get this accomplished ASAP.

    Having a checklist has helped clients of mine to know what to do and when. It also helps determine where and when breakdowns occurred in the process and to improve them moving forward.
    srobtjones@...
    • Yup, it has to be part of the risk management preparation

      Yes, I agree it's something that has to be part of the preparation checklist during the risk management setup. It really surprises me that such a gaping hole is left unattended in some of the biggest companies.

      _ryan
      Ryan Naraine
  • Annual reviews

    Most organizations I have found are good at taking away the main LAN access effectively keeping the outsider outside. Internal access, however, typically takes much longer. Often they rely on annual access reviews to clean up old users. Then your back to worrying about the insider using these accounts to hide their malicious activity.
    jshaw4343
  • What if...

    the insider on the outside is the former Director of MIS?

    That happens to be me. The person who took over my position has STILL not changed any Admin usernames or passwords, EIGHTEEN MONTHS after taking over the job. How do I know? Because I check it on an irregular basis remotely. I can still get to all of the severs, and workstations, from the outside via remote access clients.

    I left on completely amicable terms, and would never do anything to harm the organization. Actually, I am appalled that the current director has done nothing to secure the systems, but am concerned that if I bring it to the attention of the CEO, the new person may lose his/her job?which maybe they should.

    The very first day on my new job, I changed every username and password I could that had Admin privileges. I also deleted all of my predecessor?s user accounts.

    So if the admin isn?t doing their job?it?s an uphill battle to keep former worker-bees out.
    IT_Guy_z
    • If you really want to help,

      ...talk to the new guy, not his boss. In this manner you can share the wisdom of your experience without the risk of getting him in trouble.

      He'll either appreciate the heads-up, or he'll think you're trying to tell him how to do his job, but in either event at least he'll be aware of the issue.

      And if talking to the guy doesn't do any good, consider talking to his boss about it later. That's assuming you're genuinely concerned about the lax security issues and not just trying to make yourself look good by pointing out your predecessor's shortcomings.
      Your Mom 2.0
  • RE: Are you wary of the insider on the outside?

    This can also be true of small businesses. Especially if they contract their IT for a limited time.
    mr1972