– David Ting, co-founder and CTO of Imprivata (www.imprivata.com), says:
Why do former company employees still have access to proprietary data and organizational information after they’ve left the job?
There are several reasons that employees could still have access to company data and systems after leaving a job, regardless of whether they did so voluntarily or involuntarily. In most cases, this happens because there is a lag time in between an employee being terminated and his/her system access being eliminated. Often the administrator has to disable the user’s access at several different points – network, applications, buildings – within the enterprise. Depending on the organization, this operation can take some time.
Some organizations do not escort terminated employees out of the facility right away, giving them time to clean up their belongings—which can be enough time to cause major damage, as evidenced by the logic bomb planted by the outgoing Fannie Mae employee earlier this year. In other organizations, employees are escorted from the building and stripped of their building access right away, but not of their remote access—giving them the time to head to the local Starbucks and transfer sensitive information to their personal devices before anyone catches on.
The underlying problem in both of these instances is the lack of a connection between the physical identity and logical identity of an employee. In short, the building access system is completely different than the network access system—and neither talk to each other, nor are both monitored by the same people. Without a bridge between the two—or at least a strong policy or manager making the needed connections—there will continue to be lapses in between access removals, creating a huge security issue for the company.
IT departments are not immune to layoffs themselves, meaning that in many cases administrators are expected to do more with less resources.
Layoffs and job cuts often drive hiring of contractors, or non-permanent employees. Providing access to non-employees presents a different set of security risks as they can be less trusted than employees and their access privileges are often temporary, restricted and remote.
Trust is not a good security policy. For proof, just consider the number of insider related security breaches over the last year.
To be successful at your job, you need to understand exactly what data employees are accessing, how they are doing it and from where. The ability to track and audit usage is critically important. Having confidence in who is accessing your system means believing more than just who someone is as a username and password. Strong authentication and a comprehensive model of device-based authentication need to be in place to prove employee identity—especially when sensitive customer or company data is at stake.
The dramatic reduction in the cost of fingerprint biometric scanners, card scanners and tokens allows for corporate wide deployment of this technology—technology that can prevent the nightmare of what happens to your company and its reputation if the wrong person gets onto a computer, onto the network, or uses an application to steal information.