The importance of removing user access

The importance of removing user access The importance of removing user access The importance of removing user access
Photo of Rajnish Ghaly

Rajnish Ghaly

Security Blogger

22nd November 2022

In today’s business environment, it is not uncommon for employees to take confidential data with them when they leave a company. A study by the Ponemon Institute reported that 59% of employees took company data with them when they left their jobs. This could be the result of companies not having a suitable off-boarding process for ex-employees, malicious intent by the employee, or businesses demonstrating a relaxed attitude towards information security.

The cyber risks of failing to remove account access for ex-employees are far too great and can lead to data breaches and insider attacks, whether intentional or not. Whether it’s a harmful act or employee negligence due to a lack of understanding of information security, the loss of sensitive data could impact your organization financially and reputationally.

In this blog, we discuss the dangers of retaining old user accounts and the importance of implementing a policy of least privilege.

Dangers of not removing user privileges when employees leave

The IT infrastructure of organizations today spreads far and wide. At any given time, employees have access to multiple accounts and sensitive data, and this is expected for day-to-day business activities. If accounts and user privileges are not managed correctly, this could lead to data breaches. An effective security plan should incorporate removing access to safeguard your business against security threats.

There are significant dangers of retaining old and unused user accounts, such as increasing your attack surface. There are also risks of insider threats. You should follow a zero-trust model where access to networks, applications and accounts are only permitted if you can verify a user’s identity and privileges, minimizing the impact of an insider or external threat from accessing your data. Any ex-employee with valid credentials could access your network at any given time, even after they’ve left your company. All it takes is for one disgruntled ex-employee to compromise your organization by deleting, stealing or sharing sensitive and confidential data.

The theft of intellectual property can also be harmful for your company. Not removing user privileges could lead to competitors taking advantage of employees that steal business-critical information and take them to their new roles, placing your organization at a disadvantage.

Your business should be proactive once it is known that an employee is leaving the company. All organizations should have an account disablement policy in place that ensures user accounts and privileges are disabled and removed once an employee's contract is terminated. Additionally, physical security measures should not be ignored, such as revoking access to buildings and offices, to protect your organization from data theft or loss.

How to manage your risk

Prevention is better than a cure. Robust risk management is your best defense against Cyber Attacks that stem from retaining old user accounts. Even with an expansive IT infrastructure that includes internal assets, the cloud, and remote workers, your organization needs security measures that protect your network and data from being exposed.

So, how can your organization manage risk?

Off-boarding ex-employees

Off-boarding an employee and terminating access to office buildings, user accounts and remote access is part of your organization's responsibility to secure confidential data. This should include taking back all devices and ID badges and any other media that an employee may have that allows access to the business premises, network and data.

Monitor user activity

It’s important to monitor user activity across your network with proactive methods, such as log monitoring, to detect anomalous behavior, accounts being accessed outside of office hours, or data leaving the network.

A study by Google shows that 43% of people in the US have shared their credentials with someone else. This poses a significant risk to your organization's account security, as employees leaving the company could still have access to shared accounts, which makes it more difficult to detect who is doing what. However, with cyber security awareness training, employees can be trained on Cyber Attacks and how to reduce security breaches from human error.

Stronger authentication methods

By strengthening authentication methods, with two-factor (2FA) or multi-factor authentication (MFA), 99.9% of automated attacks can be blocked. This can be an effective safety net to protect unauthorized access to privileged accounts. Furthermore, 2FA and MFA are required to comply with PCI DSS, ISO 27001 and Cyber Essentials.


Compliance and certification schemes, such as PCI DSS, HIPAA, ISO 27001 and Cyber Essentials, all require you to demonstrate how you manage your risk and who can access your data and services. To meet compliance requirements, businesses must remove user access when an employee leaves the company. One of the five controls of Cyber Essentials revolves around user access controls and what privileges are granted to specific users. Requirement 7 of PCI DSS also requires organizations to restrict access to cardholder data to only those who need it. Limiting access to legitimate business needs will help organizations prevent the abuse of business data, whether by negligence or intent.

Implementing a policy of least privilege

Implementing a policy of least privilege will help to manage your cybersecurity risk. The principle of least privilege means reducing the levels of access or permissions to the minimum that is required for a user to perform their duties. This minimizes risk by limiting access to your sensitive data, applications and connected devices.

Implementing a policy of least privilege will do the following:

  • Reduce your attack surface by limiting administrator privileges that could otherwise be exploited by cybercriminals to access your network and data
  • Minimize the damage that a bad actor could do
  • Mitigate the risk of malware attacks, as a principle of least privilege will prevent bad actors from spreading malware across your network
  • Satisfies your compliance with standards, such as PCI DSS and HIPAA, that require a policy of least privilege to reduce access to cardholder and healthcare data
  • Demonstrates to customers and partners that your organization takes information security seriously, boosting your reputation

In summary

The risk of data theft doesn’t stop once an employee leaves your organization. By retaining user accounts and not following a clear off-boarding process for departing employees, you run the risk of expanding your attack surface and leaving confidential data exposed. Removing user access to accounts, implementing a policy of least privilege and monitoring suspicious behavior across your network, such as detecting suspicious logins or data being moved or deleted, will ensure you protect your systems and data while upholding your compliance.

Start managing your cyber security efficiently today with™