Only 34% of organizations revoke system access to employees on the day they leave

February 5, 2021

The Identity Defined Security Alliance (IDSA), a nonprofit that provides vendor-neutral resources to help organizations reduce the risk of a breach by combining identity and security strategies, released a study on Identity and Access Management which uncovers significant delays in granting and revoking access to corporate systems, impacting operations and introducing risk to the organization.

According to the study, for the majority of companies (72%) it takes one week or longer for a typical worker to obtain access to required systems. Conversely, it takes half of organizations three days or longer to revoke system access after a worker leaves, creating regulatory compliance issues and the risk of data theft. To make matters worse, for the majority of organizations (83%), remote work and other Covid-19 related factors have made managing access to corporate systems more difficult.

The report, “Identity and Access Management: The Stakeholder Perspective,” is based on an online survey of access stakeholders, human resources, sales managers, and IT help desk professionals, who are impacted by IAM processes and technologies and who interact directly with workers (employee, contractor and vendors) to set up, remove, and resolve access problems.

Despite agreement from access stakeholders that they have responsibility for security, most (62%) report that they would be hesitant to take action and cut worker access in the face of concerning behavior. Only two in five (38%) reported that they would immediately cut off access for a worker who was accessing systems or data inappropriately, leaving the door open for risk due to an insider threat or compromised credentials.

In addition, seven in 10 (69%) access stakeholders themselves confess to having personally engaged in sloppy system identity behavior, including using the same username and password for both work and personal accounts, using an unauthorized device for work, or sharing credentials with non-workers. Two-thirds (68%) agreed that even though they care about security, it is more important to get their job done.

Two in five access stakeholders (39%) agreed that system access at their company is “messy” and most (83%) believe that system access can be better. Automation may be one key to improving system access challenges. Less than a quarter (23%) report that they automate enabling access to required corporate systems, while only a third (35%) report automation of revoking access when workers leave.

“These numbers are alarming from a security risk perspective. Failing to revoke system access immediately after a worker leaves an organization and when suspicious access is detected present significant risk,” said Julie Smith, executive director of the IDSA. “The good news for enterprises is that the risks highlighted in the study can be mitigated through enlisting the help of stakeholders, who also want to be a part of the solution, through governance process, automation, and identity-centric security strategies.”

Kevin Dunne, President at Greenlight, a Flemington, New Jersey-based provider of integrated risk management solutions, says, "Though the report findings are unsettling, they reflect the realities of today's complex work from home environment and hybrid landscape of cloud and on-premise applications. Many organizations still struggle to find a unified solution which can not only grant access but also monitor what is done with the access once it has been granted. Typically, IT security teams rely on a hodgepodge of point solutions for each application with little visibility across the enterprise landscape. Fortunately, many new advancements have been made in the area of just-in-time provisioning, which can automate much of the access governance process and shave provisioning and deprovisioning time from days down to seconds."

To download the full report, visit https://www.idsalliance.org/identity-and-access-management-the-stakeholder-perspective.

In this webinar, we review the rise of cloud access control and access control as a service, its advantages and disadvantages, and how to select the optimal cloud access control solution for your company.

Security leaders need to accept and act on this reality and take measured and thoughtful steps to mitigate the risk and train staff about the growing likelihood of such violent incidents in their facilities and workplaces.