47% of ex-employees still have access to business data – what can HR teams do about it?
Guest blog by Adrian Crawley, Northern European Director, SailPoint
With data breaches and hacks hitting the headlines almost weekly, C-suite executives are on high alert – and they’re not the only ones. When the cause of a breach can often be employee cybersecurity practices and a lack of visibility of who has access to what data, HR departments are naturally becoming implicated in the battle to prevent the fallout, both financial and reputational, of a breach.
A recent example from the UK illustrates the problem – with a major supermarket chain fighting an earlier ruling that made it liable for one disgruntled employee’s leak of the personal details of 100,000 colleagues online. While this battle continues through the courts, what is clear is that companies are currently considered to be vicariously liable for the actions of their employees and the security of both employee and consumer data. So what role can HR teams play in ensuring that incidents like these don’t happen in their own organisations?
Check you have all sets of keys
The truth is data breaches are often – perhaps predominantly – caused by simple, avoidable errors during day-to-day processes.
For example, companies often fail to consider whether employees can still access this information once their employment has been terminated, as seems to have been the case in the supermarket breach. While this should be easily avoidable, it continues to be a massive problem for businesses, as our own research reveals.
In SailPoint’s most recent Market Pulse Survey, we found that almost half (47%) of employees who leave a job still have access to their former organisation’s data via corporate accounts (17%), cloud storage (16%) or mobile devices (14%). That’s an astonishing figure. After all, no landlord would forget to ask their tenant to hand over their keys once they vacate a property, yet this is pretty much exactly what many – indeed, nearly 50% of businesses are doing with their former workers.
It only takes just one employee to cause massive, perhaps irreparable damage to a business’ reputation by accessing and sharing enormous volumes of sensitive data. As important as it is for HR and IT teams to work closely to onboard new employees as quickly as possible to maximise productivity, similarly they must act decisively to offboard employees leaving the business to ensure data remains secure.
Upskilling security processes to match portfolio careers
If your organisation has been lucky enough to avoid a serious data breach, that’s not necessarily cause for complacency. It may only be a matter of time before an employee accesses and leaks sensitive information, either maliciously or by accident.
This can seem a daunting task at first, especially if your IT teams currently spend significant amounts of time struggling with the complex question of who has access to what. This difficulty is often compounded when an organisation is going through a period of significant changes, for example during digital transformation projects, when a company may be making many new hires or employees changing roles.
Any change to the workforce – even the promotion or sideways move of a single employee – heightens the risk of a worker being able to access information or systems that they’re no longer authorised to view. As employees increasingly expand into T-shape or portfolio careers, the need to monitor and enforce a separation of duties increases. Similarly, it should be obvious that when an employee leaves, their access privileges are immediately revoked, but sadly we’ve seen how this often isn’t the case.
But there’s another side to the coin. When an organisation forgets or otherwise fails to update an employee’s access, they can leave ‘orphaned’ accounts, and these represent a particularly tempting target for hackers. That’s because hackers can use these as cover, hacking into unguarded, unwatched dormant accounts to steal sensitive data through seemingly legitimate access and without raising the alarm. Using an identity governance model that allows the HR and IT teams to centrally govern all access assigned to an employee can help ensure that these unmonitored vulnerabilities don’t develop.
Automating the onboarding and role change process
Faced with the growing complexity of access management, how can an organisation respond without further burdening already-overstretched HR teams?
The answer, as with so many other areas of business today, is through intelligent automation of access. Choosing the right identity governance solution means that an organisation can manage access far more effectively removing, at a stroke, the risk of forgetting to update access to business data and logins whenever an employee’s role changes or when they leave the company.
An effective identity governance system can also help you to manage potential security and compliance risks, while also ensuring that every digital identity throughout the organisation is kept secure. What’s more, they provide a far-enhanced level of oversight so that IT and other parties can easily keep track of who can access what data.
The learnings for HR teams is clear: take control of employee access to business data early, and ensure it consistenyly reflects their requirements. Don’t leave it until the horse has bolted before locking the stable door.