Data breaches instigated by former employees do not gain as much media exposure as those caused by cybercriminals. However, these insider attacks can pose a significant threat to companies’ data as well as their bottom line, as the following examples demonstrate:
- Over a two-year period, the co-owner of an engineering firm accessed the servers of his former employer (also an engineering firm) as well as the email of a former colleague. He stole proprietary business data estimated to be worth around $425,000 (USD).
- For eight months after leaving a company for a different job, a man accessed the servers at his former employer. Besides deleting files, he shut down the former company’s trading system, making it unavailable to customers. In all, the estimated loss to his former employer is more than $10,000.
- After being asked to resign, a man accessed 13 servers operated by his former employer, a healthcare facility. He disabled administrative accounts, deleted business data, and deleted patients’ data, including their medical records, causing a loss in excess of $5,000.
Such incidents occur more frequently than you might realize. A 2017 study conducted by Arlington Research found that 20% of the 500 organizations surveyed were the victims of data breaches perpetrated by ex-employees.
A Common Thread
Data breaches caused by former employees often have one thing in common: The ex-employees — no matter whether they were terminated or left on their own — still had access to their former employers’ resources, including applications and computer systems.
Surprisingly, companies often know that ex-employees have such access. In the 2017 study, nearly half of the 500 respondents admitted that the accounts of former employees remain active for some time after they leave. Out of that group, 50% said that the ex-employee’s accounts remain active for longer than a day, 25% said the accounts are active for more than a week, and 25% did not know how long former employees’ accounts remain active.
Leaving ex-employees’ accounts active is risky. A former employee with a grudge or a desire to steal proprietary data might try to take advantage of this access.
What You Can Do to Protect Your Business
To protect against data breaches caused by ex-employees, you can follow a two-step strategy. The first step is purging your computer systems of existing old accounts. This includes identifying and removing the user accounts of former employees and removing their memberships in group accounts. If a former employee had access to a particularly sensitive account (e.g., an administrative account), you might also consider changing the password to it.
The second step is preventing the accumulation of old accounts in the future. An effective approach is to set up a process for deprovisioning former employees’ user accounts and their group memberships immediately after they leave. Plus, it is a good idea to set up an account provisioning process that follows the principle of least privilege (i.e., limiting employees’ access to the minimal level that will allow them to perform their job duties). This will help limit the potential damage of a data breach caused by insiders, such as employees who know they will be quitting soon and want to steal data or wreak havoc beforehand.
An Important but Time-Consuming Endeavor
Making sure that former employees cannot access your business’s data and systems is important. While purging old accounts might not take too long, setting up and managing the provisioning and deprovisioning processes can be time-consuming. To help simplify these processes, you might consider using an access control tool or identity management service. We can recommend the best solution for your business based on your needs.