The importance of removing user access

The IT infrastructure of organizations today spreads far and wide. At any given time, employees have access to multiple accounts and sensitive data, and this is expected for day-to-day business activities. If accounts and user privileges are not managed correctly, this could lead to data breaches. An effective security plan should incorporate removing access to safeguard your business against security threats.

There are significant dangers of retaining old and unused user accounts, such as increasing your attack surface. There are also risks of insider threats. You should follow a zero-trust model where access to networks, applications and accounts are only permitted if you can verify a user’s identity and privileges, minimizing the impact of an insider or external threat from accessing your data. Any ex-employee with valid credentials could access your network at any given time, even after they’ve left your company. All it takes is for one disgruntled ex-employee to compromise your organization by deleting, stealing or sharing sensitive and confidential data.

The theft of intellectual property can also be harmful for your company. Not removing user privileges could lead to competitors taking advantage of employees that steal business-critical information and take them to their new roles, placing your organization at a disadvantage.

Your business should be proactive once it is known that an employee is leaving the company. All organizations should have an account disablement policy in place that ensures user accounts and privileges are disabled and removed once an employee's contract is terminated. Additionally, physical security measures should not be ignored, such as revoking access to buildings and offices, to protect your organization from data theft or loss.

Prevention is better than a cure. Robust risk management is your best defense against Cyber Attacks that stem from retaining old user accounts. Even with an expansive IT infrastructure that includes internal assets, the cloud, and remote workers, your organization needs security measures that protect your network and data from being exposed.

So, how can your organization manage risk?

Off-boarding ex-employees

Off-boarding an employee and terminating access to office buildings, user accounts and remote access is part of your organization's responsibility to secure confidential data. This should include taking back all devices and ID badges and any other media that an employee may have that allows access to the business premises, network and data.

Monitor user activity

It’s important to monitor user activity across your network with proactive methods, such as log monitoring, to detect anomalous behavior, accounts being accessed outside of office hours, or data leaving the network.

A study by Google shows that 43% of people in the US have shared their credentials with someone else. This poses a significant risk to your organization's account security, as employees leaving the company could still have access to shared accounts, which makes it more difficult to detect who is doing what. However, with cyber security awareness training, employees can be trained on Cyber Attacks and how to reduce security breaches from human error.

Stronger authentication methods

By strengthening authentication methods, with two-factor (2FA) or multi-factor authentication (MFA), 99.9% of automated attacks can be blocked. This can be an effective safety net to protect unauthorized access to privileged accounts. Furthermore, 2FA and MFA are required to comply with PCI DSS, ISO 27001 and Cyber Essentials.

Compliance

Compliance and certification schemes, such as PCI DSS, HIPAA, ISO 27001 and Cyber Essentials, all require you to demonstrate how you manage your risk and who can access your data and services. To meet compliance requirements, businesses must remove user access when an employee leaves the company. One of the five controls of Cyber Essentials revolves around user access controls and what privileges are granted to specific users. Requirement 7 of PCI DSS also requires organizations to restrict access to cardholder data to only those who need it. Limiting access to legitimate business needs will help organizations prevent the abuse of business data, whether by negligence or intent.