Access Rights Not Updated for 45% of Employees Who Change Roles
The online survey questioned 400 people, of whom 70% were IT professionals, about what happened in their company when new staff were onboarded and when current employees switched roles or were deprovisioned.
Asked whether unnecessary access rights are removed when employees change roles, 45% of the respondents said "no." This statistic swells in importance when paired with the knowledge that more survey respondents worked for the government (14.5%) than for any other industry.
When it came to the access rights of employees leaving for new pastures, 13% of those surveyed said that they were not confident that the last person to exit their organization no longer had access to the company's critical systems and information. Only 48% said they were "somewhat confident" that access had been blocked.
Given what respondents thought their former coworkers might get up to, it's surprising that closer tabs weren't being kept on their access rights. When asked what security risks were a concern in relation to improperly deprovisioned employees, 38% said a leak of sensitive data, 26% feared a cybersecurity hack through an unmanaged account, and 24% were concerned about malicious data detection/theft.
Perhaps the survey's most worrying finding was that 52% of respondents admitted that either they or somebody they knew still had access to a former employer’s applications and data.
Most of the respondents (84%) were based in the US, but the online survey was also completed by people in the Netherlands, the UK, and Canada.
Senior director of information technology at Ivanti, Adam Jones, told Infosecurity Magazine: "If you don’t know where you are vulnerable, it creates big issues and problems, especially when people can access privileges they shouldn’t. It creates an opportunity for exploitation by cyber-criminals or disgruntled employees (malicious insiders)."
It isn't clear from the survey whether access rights are being mismanaged due to the absence of proper assignment and management processes or because the trouble isn't being taken to regularly monitor permissions and update them as necessary.
"Essentially, manually monitoring these processes is a productivity vampire," said Jones. "People often fail to complete their manual checklists, and we’ve even heard of instances where HR terminates an employee and forgets to tell their IT team.
"Make sure you have the tools to automate manual tasks, so that you can monitor just the exceptions for when something doesn’t go right."
Source: Information Security Magazine