Insider impropriety already presents a considerable headache for IT managers. But as companies downsize and lay off employees in large numbers, the likelihood of insider security threats escalates.
Businesses are left particularly vulnerable when employees leave but their user accounts aren’t disabled. These so-called “orphaned accounts” can lead to the loss of your customer list to a competitor, the malicious disabling of your critical databases and the loss of other proprietary information. It’s the sort of damage a small to mid-sized business can find difficult to overcome.
“The smaller organizations can be more vulnerable,’’ says Ellen Libenson, vice president of marketing for Symark International, which produces systems access management solutions. “The smaller your business, the harder it is to recover.’’
The danger of ignorance
Yet orphaned accounts are frequently overlooked. A May 2008 survey of more than 800 IT professionals found that 42 percent of those surveyed didn’t know how many orphaned accounts existed within their business. The survey, commissioned by Symark, also found that 30 percent had no procedure to locate the orphaned accounts, and more than 48 percent had no way to determine whether an orphaned account had been used to access information.
Lean economic times make it more likely that IT personnel will forget to disable accounts, says Libenson. IT departments are often short-staffed, and a harried worker might sit down to close an account, only to respond to a pager instead. “In the back of their mind, they think, ‘Well, they weren’t really bad people, it will be okay,’’’ says Libenson.
However, the economic climate can affect your employees’ behavior, cautions Michael Miora, founder of ContingenZ, which offers companies training and management for disaster recovery and security threats. “In tough economic times, people who are basically honest can sometimes yield to temptation,’’ Miora says.
The importance of precautions
To protect your business, it’s critical to remove that temptation, whether it’s financial or revenge-oriented in nature. There are several steps you can take to sidestep the risks involved with layoffs and orphaned accounts:
- Establish a process. Make sure you have a formal procedure in place for dismissing employees — and stick with it. In small companies, the sense of tight-knit community can override practical considerations when it comes to the emotion-filled act of laying off an employee, say the experts. Put together a checklist involving IT access. Make sure the employee signs a document attesting that he or she is not taking anything with them, says Miora.
- Terminate access immediately. Business owners are sometimes tempted themselves, says Miora. You might want to get a couple of days’ more work out of an employee, or you might want to soften the blow of the layoff by having the employee work another week or two. “A couple of days of extra work could end up costing you months and years of hard-earned customer lists,” says Miora. “Grab that computer. You can’t let them keep it another day, another minute. Remove that person’s access to everything. The instant you tell them they’re gone, they have to be gone.” Escort the employee out the door, says Miora. It might feel awkward and rude, but not allowing them to log on one last time is critical. “It goes against the grain a little bit, but as I say, security is contrary to politeness.”
- Monitor log events. “Knowing there’s an accountability process in place actually deters a lot of people,’’ says Libenson. Current employees might be tempted to log in through an orphaned account to cause mischief. There are security products on the market that enable you to log key strokes, prevent the erasure of logs and send alerts to management when someone attempts to access an unauthorized area.
- Inventory access. Maintain a list of every employee and what systems they are permitted to access, advises Libenson. Doing a regular inventory of this list can help ensure that employees only have access to data they truly need. You’ll also know just what access you need to disable when an employee leaves.
- Practice good password management. Libenson hears stories about passwords scrawled on whiteboards in IT departments. “A small company is even more vulnerable because you have fewer IT people, so hence they tend to share a lot,’’ she says. “If administrators are sharing one password, that’s a big no-no. You have no accountability.” Products that dynamically change passwords have come down in cost, Libenson says. And vendors such as Symark are eager to recruit new business in this down economy.
Keep in mind what’s at risk if you don’t take the time to disable an orphaned account, say the experts. “The sad thing is it’s so easy to set up roadblocks.”