All large companies have formal processes for both onboarding and offboarding. These include granting access to corporate IT systems after hiring, and revoking said access during offboarding. In practice, the latter is far less effective — with departing employees often retaining access to work information. What are the risks involved, and how to avoid them?
How access gets forgotten
New employees are granted access to the systems they need for their jobs. Over time, these accesses accumulate, but they’re not always issued centrally, and the process itself is by no means always standardized. Direct management might give access to systems without notifying the IT department, while chats in messenger apps or document-exchange systems get created ad hoc within a department. Poorly controlled access of this kind is almost certain not to be revoked from an offboarded employee.
Here are some typical scenarios in which IT staff may overlook access revocation:
- The company uses a SaaS system (Ariba, Concur, Salesforce, Slack… there are thousands of them) that’s accessed by entering a username and password entered by the employee at first log in. And it isn’t integrated with the corporate employee directory.
- Employees share a common password for a particular system. (The reason may be saving money by using just one subscription or lacking a full multi-user architecture in a system.) When one of them is offboarded, no one bothers to change the password.
- A corporate system allows login using a mobile phone number and a code sent by text. Problems arise if an offboarded employee keeps the phone number they used for this purpose.
- Access to some systems requires being bound to a personal account. For example, administrators of corporate pages on social media often get access by assigning the corresponding role to a personal account, so this access needs to be revoked in the social network as well.
- Last but not least is the problem of shadow IT. Any system that employees started using and run by themselves is bound to fall outside standard inventory, password control and other procedures. Most often, offboarded employees retain the ability to perform collaborative editing in Google Docs, manage tasks in Trello or Basecamp, share files via Dropbox and similar file-hosting services, as well as access work and semi-work chats in messenger apps. That said, pretty much any system could end up in the list.
The danger of unrevoked access
Depending on the role of the employee and the circumstances of their departure, unrevoked access can create the following risks:
- The offboarded employee’s accounts can be used by a third party for cyberattacks on the company. A variety of scenarios are possible here — from business email compromise to unauthorized entry to corporate systems and data theft. Since the departed employee no longer uses these accounts, such activity is likely to go unnoticed for a long time. Forgotten accounts may also use weak passwords and lack two-factor authentication, which simplifies their takeover. No surprise, then, that forgotten accounts are becoming very popular targets for cybercriminals.
- The offboarded employee might continue to use accounts for personal gain (accessing the customer base to get ahead in a new job; or using corporate subscriptions to third-party paid services).
- There could be a leak of confidential information (for example, if business documents are synchronized with a folder on the offboarded employee’s personal computer). Whether the employee deliberately retained this access to steal documents or it was just plain forgetfulness makes little difference. Either way, such a leak creates long-term risks for the company.
- If the departure was acrimonious, the offboarded employee may use their access to inflict damage.
Additional headaches: staff turnover, freelancing, subcontractors
Keeping track of SaaS systems and shadow IT is already a handful, but the situation is made worse by the fact that not all company offboarding processes are properly formalized.
An additional risk factor is freelancers. If they were given some kind of access as part of a project, it’s extremely unlikely that IT will promptly revoke it — or even know about it — when the contract expires.
Contracting companies likewise pose a danger. If a contractor fires one employee and hires another, often the old credentials are simply given to the new person, rather than deleted and replaced with new ones. There’s no way that your IT service will know about the change in personnel.
In companies with seasonal employees or just a high turnover in certain positions, there’s often no full-fledged centralized on/offboarding procedure — just to simplify the business operation. Therefore, you can’t assume they’ll perform an onboarding briefing or operate a comprehensive offboarding checklist. Employees in these jobs often use the same password to access internal systems, which can even be written on a Post-It right next to the computer or terminal.
How to take control
The administrative aspect is key. Below are a few measures that significantly mitigate the risk:
- Regular access audits. Carry out periodic audits to determine what employees have access to. The audit should identify accesses that are no longer current or were issued unintentionally or outside of standard procedures, and revoke them as necessary. For audits, a technical analysis of the infrastructure is not enough. In addition, surveys of employees and their managers should be carried out in one form or another. This will also help bring shadow IT out of the shadows and in line with company policies.
- Close cooperation between HR and IT during offboarding. Departing employees should be given an exit interview. Besides questions important for HR (satisfaction with the job and the company; feedback about colleagues), this should include IT issues (request a complete list of systems that the employee used on a daily basis; ensure that all work information is shared with colleagues and not left on personal devices, etc.). The offboarding process usually involves signing documents imposing responsibility on the departing employee for disclosure or misuse of such information. In addition to the employee, it’s advisable to interview their colleagues and management so that IT and InfoSec are fully briefed on all their accounts and accesses.
- Creation of standard roles in the company. This measure combines technical and organizational aspects. For each position and each type of work, you can draw up a template set of accesses to be issued during onboarding and revoked during offboarding. This lets you create a role-based access control (RBAC) system and greatly simplify the work of IT.
Technical measures to facilitate access control and increase the overall level of information security:
- Implementing Identity and Access Management systems and Identity Security The keystone here would be a single sign-on (SSO) solution based on a centralized employee directory.
- Asset and Inventory Tracking to centrally track corporate devices, work mobile phone numbers, issued licenses, etc.
- Monitoring of outdated accounts. Information security tools can be used to introduce monitoring rules to flag accounts in corporate systems if they have been inactive for a long time. Such accounts must be periodically checked and disabled manually.
- Compensatory measures for shared passwords that have to be used (these need to be changed more often).
- Time-limited access for freelancers, contractors and seasonal employees. For them, it’s always best to issue short-term accesses, and to extend/change them only when necessary.