The transition from a president to their successor is one of the most intricate processes in the United States’ democracy. An extreme level of caution is taken by everyone involved to ensure sensitive information is handled accordingly and the incumbent president (and those in the outgoing administration) does not continue to have access to ongoing administrative and security privileges.
But the same level of scrutiny often doesn’t seem to hold true with chief executive changeovers outside the White House. According to a recent study by the Identity Defined Security Alliance (IDSA), only 34% of organizations revoke system access to employees on the day they leave. This is concerning as the cost to remediate insider threats is rising -- up by 31% between 2017 and 2019, from $8.76 million to $11.45 million, according to The Ponemon Institute’s Cost of Insider Threats study.
To combat this issue, businesses should have an extensive checklist with actions to protect sensitive information and systems, and should have automated processes in place to prevent any such a lag. However, most enterprises and security executives fail to take appropriate action when an IT administrator or security professional leaves, other than simply creating new credentials for the replacement. This often means the former employee is walking around with information and privileged access that could hurt the organization if distributed, sold, stolen or made public.
These dreaded scenarios have played out at companies around the globe, including Cisco, Amazon, Snapchat and Facebook. In fall 2018, five months after resigning from his position as an engineer, a Cisco employee admitted to accessing the company’s cloud infrastructure and wiping 16,000 Webex Teams employee accounts. According to the U.S. Department of Justice, the WebEx Teams accounts were shut down for up to two weeks and resulted in approximately $1,400,000 in damages.
In summer 2019, a former Amazon Web Services employee exploited a cloud misconfiguration at Capital One to access credit applications, Social Security numbers and/or bank account numbers of almost 110 million people in the U.S. and Canada. The AWS employee was located by the U.S. Federal Bureau of Investigation after she took to GitHub to brag about the data theft.
Similar to outgoing presidents and their staff, former employees with a motive can abuse their privileges to access information they deem valuable or useful in the future.
The best way to prevent these types of threats is to consolidate entitlements, control and visibility over privileged identities, and to take a Zero Trust approach to privileged authentication and access.
The importance of exit interviews
From both a leadership perspective and a security perspective, there is a strong argument for holding exit interviews with departing employees. It’s a good idea to collect feedback from former employees, but these interviews can also provide context to the Chief Security officer and the overall security team on potential threats down the road from possibly-disgruntled employees. From a tactical perspective, a termination checklist upon an employee’s departure is also recommended. This should include revoking all access – both physical and digital – as soon as someone leaves the company. Beyond the standard ID card, access code or key ring, security teams need to make sure every single privileged access is revoked.
Departments must work together
Similar to how the White House must determine what confidential information is accessible to which privileged staff members – yes, even former presidents – IT and security should strive to move away from using shared passwords and instead consolidate privileged identities. This includes leveraging a common enterprise authentication service across on-premises and cloud-based infrastructure, and empowering administrators to log in as themselves using entitlements granted in their centrally-managed identity repository so there is greater visibility and accountability.
Since many organizations rely on an HR management system as the source of record for all users in an organization, IT, security and HR must work together to prevent knowledge gaps. When an employee leaves an organization, security should not be an afterthought. When this happens, ex-employees can exploit the lag in access restriction, giving them time to download private files, wipe devices or steal customer data to use later.
Just as the Biden administration is working to avoid potential disruptions as it assumes office, organizations must prioritize the securing of employee transitions to avoid possible data theft or abuse. Operating with a Zero Trust mindset is the best – and we think, the only – way to approach securing an organization’s information. The legacy approach to privileged access management (PAM) is no longer sufficient, and requires a rethinking of how to protect against privileged access abuse in today’s dynamic threat landscape.
Changeover is inevitable at every organization, all the way up to the chief executive. Any former employee represents a risk that can be exploited if their identities and privileges are not also managed swiftly and successfully. If companies don’t take this potential access risk seriously, they could risk potentially damaging insider threats which can cost them time, money, reputation, trust, and ultimately customers.