Former employees may no longer work at your company, but they may still have access to your systems, new research shows.
A study by security management company Lieberman Software revealed that more than 13 percent of IT professionals still have access to a previous employers' systems using old credentials. Of these respondents, many admitted they can still get into two previous employers' or all previous employers' systems using old access information (23 percent and more than 16 percent, respectively).
When it comes to contractors, more than 16 percent of respondents said either their employers don't have policies preventing contractor access after they leave the company or that they are not aware of such a policy. Overall, nearly 20 percent of those surveyed don't have or are unaware of any policies ensuring that former employees and contractors are restricted from accessing systems after their tenure. [10 Security Solutions for Small Business]
Moreover, of respondents who work in organizations mandated by regulatory compliance, 1 in 4 said their employers don't change service and process account passwords every 90 days as required.
The results of this research show that a fundamental lack of IT security awareness and privileged logins is potentially paving the way for a further wave of data breaches, said Philip Lieberman, CEO of Lieberman Software, in a statement.
"Basic security best practices include minimizing the insider threat and sophisticated criminal hackers by managing the powerful privileged passwords that grant access to systems containing sensitive data," he said.
Organizations must also implement a policy where privileged account passwords are frequently automatically updated with unique and complex values, Lieberman said. "That way, when an employee does leave the company, he or she is not taking the password secrets that can gain access to highly sensitive systems," he added.
To help small businesses stay safe, Lieberman provided the following tips on how to protect your business from former employees and ensure any access previously given is not abused after separation.
1. Change all passwords
- Change the employee's password and change every account password that he or she had access to.
- If the company maintains a spreadsheet of passwords for systems that an employee might have seen and used, all of the passwords on the spreadsheet must be changed immediately.
- Change employee passwords for accounts that the employee may have learned due to sticky notes stuck under keyboards that may have been seen.
2. Check all accounts
- Check all machines for excess accounts that may have been created by employees before their departure that might be used as backdoor for later re-entry.
- Randomize all generic accounts such as "Administrator" on Microsoft Windows and "root" on Linux systems so that there are no common account passwords that can be used by contractors or intruders to gain access to all machines.
- Remove all personal user memberships in the local machine's "Administrators" group to minimize exfiltration of credentials.
3. Use a privilege management system for contractors
When designing security and access for contractors, use a privilege management system — also known as Privileged Identity Management (PIM) — to limit their access to only one machine at a time for administrator access. PIM systems can also force employees and contractors to complete an automated approval process before gaining access to sensitive systems. PIM systems also remove access automatically after IT work is completed to ensure that employees and contractors cannot access systems after they leave for the day or forever.