Businesses knowingly leave themselves vulnerable to data breaches from former employees

data breach

More than half of ex-employees still have access to all corporate applications, admit UK businesses.

A new study reveals that a large proportion of businesses fail to adequately protect their networks from the potential threat posed by ex-employees.

The study disclosed that IT decision makers are aware that over half of former employees still can access the corporate network. Also, nearly a quarter of UK businesses have experienced data breaches by ex-employees.

The study, which surveyed UK-based IT decision-makers with influence over their business’s IT security, highlighted the flaws in the security processes within many companies.

Nearly all of respondents admitted to spending up to an hour on manually deprovisioning former employees from every corporate application. Half of respondents are not using automated deprovisioning technology to ensure an employee’s access to corporate applications stops the moment they leave the business. This deprovisioning burden may explain why more than a quarter of ex-employee’s corporate accounts remain active for a month or more.

Also, the study revealed 45 per cent of businesses don’t use a Security Information and Event Manager (SIEM) to audit for application usage by former employees, leaving vital corporate data exposed to potential leaks.

Alvaro Hoyos, Chief Information Security Officer at OneLogin said:“The sheer level of data breaches revealed by our study, coupled with the revelation that many businesses are failing to put simple processes in place to promptly deprovision ex-employees, should raise serious alarm bells for business leaders.

“Our study suggests that many businesses are burying their heads in the sand when it comes to this basic, but significant, threat to valuable data, revenue and brand image. There should be no excuse for this negligence, which will be brought further into the spotlight when the European Union’s General Data Protection Regulation (GDPR) comes into effect in 2018. GDPR makes data protection a legal requirement for organisations, which could face fines of up to €20 million or 4 per cent of their annual turnover, depending on which is higher.”

“With this in mind, businesses should proactively seek to close any open doors that could provide rogue ex-employees with opportunities to access and exploit corporate data. Tools such as automated de-provisioning and SIEM will help close those doors with ease and speed, while also enabling businesses to manage and monitor all use of corporate applications. The first step is acknowledging the problem, which businesses now have done by confessing they are aware of the issue, they now need to take steps to fix this issue by utilising the available tools,” concludes Hoyos.