Passwords are key when firing employees

Passwords are key when firing employees

Summary: Many companies don't do all they should to secure the company from a potentially hostile former employee. Without the right tools it can be hard.

TOPICS: Security

Nobody (well, nobody with a heart) likes letting employees go, even when you're firing them for cause. But you do what you have to do, and one of the things you have to do is to remove the employee's access to company resources. This many companies don't do, at least not effectively.

Much of this is common sense, such as deactivating card keys and other physical access methods. Where it gets murkier is when IT resources are involved. Indeed, Lieberman Software's recent 2014 Information Security Survey found that more than 13 percent of respondents could still access a previous employer's systems with their old credentials. The survey points out other discouraging indications of bad policy.

Not every termination is on bad terms. I myself have twice been laid off and immediately brought on as a consultant, making it senseless to remove my system access. But if the employee's gone then you really need to have a policy and a procedure in place to deny the employee any access.

Ground zero of this effort has to do with passwords. Before going further, I'd like to take this opportunity, as I do so often, to point out that this is yet another example of the benefits of two-factor authentication. If you can just deactivate an OTP FOB or something similar, then your job is much easier and you can take your time with the passwords.

When you don't have two-factor authentication in place you have to deactivate accounts and/or change passwords. For internal resources controlled through Active Directory, this is not a lot of work. But nowadays companies use many outside services, typically with their own username and password. If the company has a Twitter account, you don't want the ex-employee tweeting through it. If there's a company PayPal account, you might want to make sure the employee can't access it.

Just as password managers are the only way individual users can use passwords securely these days, enterprise versions of password managers may be the only way to track and manage secure use of company passwords by employees. There are many such products, including LastPass EnterpriseRoboForm and Thycotic Secret Server. I've been a LastPass user for some time.

The main value in an enterprise password manager, just as with a single-user password manager, is to make it easier for users to use passwords securely: to make them complex, unique for each site and easier to change periodically. At certain times, such as when "offboarding" an employee, they show added value by providing audit information on what resource the employee has had access to and logged into.

The possibility of having to lock out an employee may make you consider measures you have avoided so far. Consider a shared wifi password. Do you really want to change it for everyone or is it time to use a managed router and individual authentication?

There are limits to what password managers can do. They can't — at least not yet — change a user's passwords en masse, so you may have to change a lot of passwords manually. But they usually make things better and don't ever make things worse.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I work in security and process is one of the weakest links.

    A lot of security talk is on technology (firewalls, IDS/IPS, A/V, OS hardening, SIEMs [the "machine"]). While those are important what is often overlooked is process / procedures / policies / standards.
  • There are only two days in the year that nothing can be done

    Yesterday and tomorrow. When it comes to connecting to your former employer's network, procrastinate until tomorrow.
  • Password Manager

    I love my password manager. I would recommend RoboForm to anyone! Great tips, Larry.
  • RoboForm

    I use RoboForm both personally and professionally- couldn't live without it in either situation! Sharing passcards between employees (especially new hires) is a great feature, as is the password generator!
  • RoboForm Enterprise

    I also use the RoboForm password management software for my own personal use and am in the process right now of convincing my employer to adopt the Enterprise version. With login credentials being shared on such a large scale RoboForm makes it easy to eliminate the frequent human errors and secure sensitive information.