Public sector organisations are among those failing to offboard employees properly, leaving them exposed to huge security risks.
A recent survey by Beyond Identity research found that 91 percent of employees admit to still having access to company passwords and systems after leaving. Nearly a third of surveyed employers have suffered a website hack and over 25 percent had their companies’ reputations damaged due to ineffective offboarding.
“Clearly, it’s a problem that needs serious attention. By not having a proper handle on offboarding processes, businesses could be rendering the rest of the security team’s work for naught, exposing themselves to significant risk,” said Bob Burke, VP, security and infrastructure at Beyond Identity.
Burke believes improper offboarding stems from there being a lack of processes in place, whether that’s inadequate time, resources, or care.
“A combination of these factors means the offboarding process isn’t being given the attention it needs, leading to avoidable risk. In some cases, it’s just that the process isn’t being managed quickly enough; while employers are revoking access to former employees’ accounts once they depart, the damage has already been done,” he said.
Neglecting to revoke access
So, what’s behind the failure to deactivate employee accounts? The Beyond Identity data shows that the most common offboarding oversights involve neglecting to revoke access to work-related IT accounts and services. According to recently laid-off employees, many still had access to their former company’s email (32 percent), software (31 percent), and social media accounts (30 percent) after being let go. Even more alarming, nearly a quarter (23 percent) said they can still access company financial information, which could lead to expensive data leaks.
“There are three main security risks associated with improper offboarding,” explained Burke. “Perhaps the most critical of all is the insider threat – a disgruntled ex-employee may have motive and the access and knowledge needed to cause serious harm. An insider risk can easily be mitigated by conducting exit interviews to better understand or elicit potential concerns and motivations. Furthermore, after the employee has left, companies must restrict access to and ensure tighter monitoring around the ex-employee’s accounts, especially if they had access to sensitive information.
If you liked this content…
“Another security risk is the potential remaining unauthorised access to data and systems; if off-boarding processes are not followed, or in place, and an employee is still able to access documents, this leaves a backdoor open for potential exploitation. To eliminate this risk, organisations should implement comprehensive off-boarding procedures that includes the deactivation of all types of credentials and access.
“Finally, but most definitely not least, organisations must prepare for offboarding to ensure there isn’t a loss of critical knowledge or expertise. The ex-employee may have sole knowledge or expertise within an area. In cases where the offboarding is planned, rather than an employee suddenly quitting, businesses must attenuate any critical knowledge loss by cross-training employees where possible. Businesses should also mandate updated documentation and/or run books on processes, systems and general information. Otherwise, companies run the risk of losing critical security knowledge, leaving them open to vulnerabilities they may not know how to eliminate anymore.”
Lower the risks around offboarding
There are several ways the public sector can diminish risks associated with offboarding, said Burke.
Taking a gradual, phased approach to offboarding will enable laid-off workers to wrap up work, handover tasks and pass on key information. Not only does this give the employee an easier, less stressful exit, but it also allows the company’s security team more time to review all access and revoke where required. To support exiting employees, companies should also improve their transparency, clearly communicating reasons, providing a consistent process, and offering counselling or career coaching services.
Organisations should strengthen their access controls. Implementing strong authentication methods can reduce the chance of unauthorised access to sensitive data. For example, phishing-resistant and passwordless MFA ensures only authorised users on secured devices can gain access to information, while utilising Data Loss Prevention (DLP) tools helps you monitor and prevent unauthorised leakage of sensitive data throughout the notice period and post-layoff. Companies can also run targeted incident response drills around the relevant access controls, targeting detection and preventions measures in case the worst happens.
Looking in depth into the organisation’s back office, security teams should also monitor for code configuration tampering and potential remote access tools. A disgruntled ex-employee may be able to make operation-disrupting changes to source code and configuration files, introducing vulnerabilities or inducing outages. Code tampering can be mitigated by things such as File Integrity Monitoring tools, a Static Application Security Testing (SAST) solution, as well as adopting robust Change Management and Configuration Management programs.
“Offboarding issues don’t just put businesses at risk but impact the customers and business partners who have entrusted them with their data,” said Burke. “Our research found that one-third of businesses (34 percent) experience some form of insider-related cybersecurity incident every year. Surely this should be the wake-up call needed to ensure proper offboarding procedures are in place.”
