Business Technology

Are your former employees still accessing company data?

5 min read

14 October 2014

What happens when an employee leaves your business – are you letting them walk right out the door with access to sensitive or valuable business information?

Lots of business owners think that IT security only applies to the big corporations and the banking firms of this world; but a new study by Intermedia SMB reveals that 89 per cent of employees who leave a company retain access to business or cloud applications like Salesforce, PayPal, email and SharePoint. 

It doesn’t matter how big you are, if you’re employing staff that have access to apps, CMS’s and company data; you’re at risk.

Ex-employees admit to using the logins

It gets worse though, of those surveyed, 49 per cent had actually signed in to an ex-employer’s account, despite having left the company. 

Now in most cases, this will just be curiosity; call it a “I wonder if it still works” type moment. However the fact remains that the ex-employees in question still have access and it only takes one bad apple with malicious intent to cause problems. This can come in a number of forms, be it reputational damage, leaked info or loss of competitive advantage to a rival firm.

In a nutshell, when an employee leaves your business, for whatever reason, you must have a way to revoke their access to all business resources. If you don’t then you’re leaving yourself wide open to attack.

How to protect your business

Implement stringent access management and off-boarding practices. Most companies have well thought out on-boarding processes, but too many forget the off-boarding. 

In the same Intermedia Survey, polling firm Osterman Research found that 60 per cent of the employees in its survey were not asked for their cloud logins by their employers. 

Put in place on-boarding and off-boarding policies for every employee and every application your business uses. Keep a detailed record of who has access to what. This ensures that your company always knows where your data is and who can access it at any time. 

Consider using business graded file storage and cloud synching. Osterman also found that 68 per cent of employees admitted to using personal file storage services like Google Drive and iCloud to store corporate files or to transfer them between devices. 

Businesses handling sensitive data should consider finding specialist business file storage that gives granular access control. This will encourage employees to choose it over their personal cloud based accounts. (Dropbox offer a business only service and that’s what we use in house, at Tiger Mobiles.) You can also restrict access to other file storage sites on your companies’ network to prevent their usage.

Restrict access with single sign-on services. A single sign-on portal stores passwords in on behalf of employees and gives them one-click access everything they need to do their job. 

 This gives your business added security because employees tend to use strong passwords if they don’t have to commit them to memory. Not only that a single sign-on services gives you clear visibility into which apps a departing employee had been using. This paints a much clearer picture of which accounts need to be transferred or terminated. It also lets you cross reference it with the off boarding process recommended above.

Other things to consider

Some cloud services charge extra for each user so it’s tempting to save money by using one account and giving every employee access to it. This is a bad idea; if someone leaves, they will still know the username and password.

Other considerations:

  • Try to pencil in regular reviews of employee access and delete accounts that aren’t required for them to perform daily job responsibilities.
  • Remember to change administrative passwords to servers and networks following the departure of any IT staff.
  • Don’t allow the use of the same login and password for multiple platforms, applications servers or networks.
  • Restrict internet access on corporate computers to cloud storage websites.

It’s not easy to get a handle on who has access to what throughout your business. But trust me, it’s worth it and once you do put the processes in place, you can regain control over your businesses most important data.

Jonathan Edwards is head of information technology at TigerMobiles.com and specialises primarily in Cloud Computing, IT security and infrastructure.