Do You Revoke Access Privileges After an Employee Leaves?

Application password
There were no auto dealership sales reps milling around when a man returned the red muscle car he'd been driving to the dealership's lot. Nobody was there to ask him what he thought of his test drive or to discuss the price. That's because it was 5 a.m. on a Sunday, and the dealership was closed. The man, a former employee of the dealership, never should have had access to the car in the first place.

Lingering access privileges for former employees is a growing problem across all industries. But not all privilege abuses are detected as easily as the dealership ex-employee's joyride — especially when digital assets are involved.

According to a recent study by Osterman Research [PDF], almost 90 percent of former employees retained login credentials for at least one business application, such as PayPal, WordPress or Facebook, after they left the company. Almost half still had access to confidential business data. Forgetting to reset passwords, disable accounts and revoke network access puts your business at serious risk of data and cybersecurity breaches.

An FBI warning to businesses issued in 2014 revealed that costs incurred due to data breaches involving disgruntled or former employees ranged from $5,000 to $3 million. No matter the size of your business, can you afford to risk that much by allowing former employees to retain data access after they leave?

Here are three organizations that had to deal with data breaches at the hands of disgruntled, retiring or former employees and tips for what you should do to avoid a similar breach.

Gucci


What Happened: In 2010, an employee of fashion brand Gucci created a fake VPN token in the name of a nonexistent employee and later tricked Gucci's IT staff into activating the token after he was fired. He used the access to do about $200,000 worth of damage to the Gucci network, deleting data and shutting down servers.

What You Should Do: Perform regular reviews of employee access privileges. If something seems fishy — such as an account for a fake employee — or if a real employee has access to something that isn't needed for their job duties, terminate the account or the access. You should also terminate all accounts associated with a former employee or contractor and change passwords to group accounts immediately after their departure.

Office of the Comptroller of Currency


What Happened: The U.S. Office of the Comptroller of Currency (OCC), which supervises all national banks, was sent scrambling in 2016 when it discovered that a former employee had downloaded a large number of files onto two removable memory devices prior to retiring from the bureau the year before.

Though the data was encrypted and was not believed to have been misused, the OCC still considered it a major incident. The former employee had misplaced the memory devices, meaning the unrecovered files could still fall into the wrong hands.

What You Should Do: The OCC didn't discover the incident when it happened because it didn't have a policy concerning the use of external media devices. Even when employees feel like they're downloading harmless data such as personal photos, they can still represent a risk. Consider implementing a policy that prevents the download of information to a removable device without supervisor approval. Regularly reviewing what data is being downloaded can also help you react quickly to potential breaches.

Houston Astros


What Happened: A former St. Louis Cardinals employee was recently sentenced to 46 months in prison for his part in hacking into the Houston Astros' player information database. The employee had left to be the Astros general manager and used a similar password between the two teams, giving the hacker an open door to the Astros' confidential research.

What You Should Do: When hiring new employees, be sure you educate them on password security and encourage them to not reuse a password they've used for any other employer or personal application. Implement a policy that requires unique passwords that are frequently changed to combat the possibility of a password falling into the wrong hands.

Unrestricted network access and poor password security aren't the only things that can cause security breaches. The use of personal devices such as smartphones and tablets for business purposes can represent another major security risk for businesses. Read our post "Is Your BYOD Policy Prepared for Pokémon GO?" to find out the importance of a bring your own device (BYOD) policy.

[Webinar Recap] The Cure for Your HIPAA Headache

Culture of Compliance screenshot
As of February 2017, there are more than 1,800 healthcare providers listed on the breach portal — known as the “wall of shame” in the healthcare industry — maintained by the U.S. Department of Health & Human Services Office for Civil Rights (OCR). In 2016, cyber attacks against healthcare organizations increased by 63 percent. These numbers are symptomatic of a growing problem in the healthcare industry: ever-evolving cyber risks and a struggle to adhere to Health Insurance Portability and Accountability Act (HIPAA) security requirements.

In a recent webinar with the Disaster Recovery Journal, Robert Felps, CEO/CISO for compliance and risk management firm Third Rock, and Brandon Tanner, senior manager for Rentsys Recovery Services, discussed what healthcare providers can do about this “HIPAA headache.”

To discover the cure, check out the recording of the webinar here.