Businesses leaving themselves open to data breaches from former employees

14 July 2017

Study finds more than half of ex-employees still have access to all corporate applications.

Study finds more than half of ex-employees still have access to all corporate applications.

A large proportion of businesses fail to adequately protect their networks from the potential threat posed by ex-employees, says a new study by OneLogin.

According to the identity management provider’s research, IT decision makers are aware that 58 per cent of former employees still can access the corporate network. 

It also reveals that nearly a quarter of UK businesses have experienced data breaches by ex-employees.

OneLogin surveyed more than 600 UK-based IT decision-makers with influence over their business’s IT security and claims it highlighted flaws in security processes within many companies. 

Ninety-two per cent of all respondents admitted to spending up to an hour on manually de-provisioning former employees from every corporate application. Half admitted that they were not using automated de-provisioning technology to ensure an employee’s access to corporate applications stops the moment they leave the business. 

OneLogin says this burden may explain why 28 per cent of ex-employees’ corporate accounts remain active for a month or more.

The study also found that 45 per cent of businesses don’t use a security information and event manager (SIEM) to audit for application usage by former employees, leaving vital corporate data exposed to potential leaks.

CISO Alvaro Hoyos says all this should raise “serious alarm bell” for business leaders. 

CISO Alvaro Hoyos says all this should raise “serious alarm bell” for business leaders. 

Alvaro Hoyos, CISO at OneLogin, says all this should raise “serious alarm bell” for business leaders. 

“Our study suggests that many businesses are burying their heads in the sand when it comes to this basic, but significant, threat to valuable data, revenue and brand image. 

“There should be no excuse for this negligence, which will be brought further into the spotlight when the European Union’s General Data Protection RegulationGDPR makes data protection a legal requirement for organisations, which could face fines of up to €20 million or four per cent of their annual turnover, depending on which is higher.”

With this in mind, Hoyos advises businesses to proactively seek to close any open doors that could provide rogue ex-employees with opportunities to access and exploit corporate data. 

“The first step is acknowledging the problem, which businesses now have done by confessing they are aware of the issue. They now need to take steps to fix this issue by utilising the available tools,” he concludes.