Some former employees steal patient or customer data to commit identity theft. Others steal customer lists or intellectual property. A few attempt to blackmail or publically embarrass their former employer.
Customers are Angry
The comments posted in response to these reports are sobering. Members of the general public are livid when the data theft involves customer/patient data and they feel they could have been victimized.
Many incorrectly demand action against the company’s IT security management. A common mistaken analogy is “I had to turn in my office key when I left my last company, how hard can it be to revoke an employee’s access”.
Knowing is the Hardest Part
Unfortunately, knowing an employee’s access should be revoked is the hard part. Every IT Security organization I have known can quickly revoke employee access but they are at the mercy of the managers who must request the access be revoked. It is the human element that is repeatedly the weakest link in the chain.
Terminated but Still on Payroll
I was told about an employee who was escorted to the door with no advanced notice of their termination. But IT was not notified until 6 months later. Why? Because the ex-employee’s severance agreement included 6 month salary so he remained on the payroll and HR systems as an active employee until his severance agreement ended. (And no, I won’t tell you what this angry employee did during those 6 months.)
Manager Mistakes – “I Forgot”
I have been told many variations on the story “the manager did not report the terminated employee to HR for weeks after the last day”. Often managers were busy and knew they gave the employee 2 or more weeks of severance so the manager did not worry about informing HR until it was time for the paychecks to stop.
Other times the manager wanted continued access to the ex-employee’s accounts to help in a transition. A few times the manager had malicious intent of misusing the ex-employees access. (See this blog posting)
Employee ID Baked into Critical Application
There have been other instances where turning off the access for an ex-employee would break an important application because the employee had baked his or her user id into the code to do the data retrieval or update. (And this is not just IT staff but other departments that had hacked their own data access.)
IAM and SSO are Important but Do Not Solve the Problem
Implementing a provision system (IAM/IdM) or single sign-on (SSO) or cracking down on manager not following policy are not a comprehensive solution. All such preventive systems can be subverted for innocent or malicious reasons. The key is to have an automated detective control that can find terminated users and their unrevoked rights so IT is NOT wholly dependent on people and process.
Automatically Discover Unrevoked Access of Terminated Users
Veriphyr is an analytics service that discovers unrevoked access of terminated users on mainframe, midrange, Linux/Unix, and Windows systems.
Every user has an activity profile based on their unique pattern of usage. Veriphyr can differentiate between the activity patterns of current employees verses terminated employees – even terminated employees who continue to access sensitive systems. Veriphyr can even differentiate between full-time employees and those on vacation or contractor accounts between projects.
Learn how Veriphyr Identity and Access Intelligence service effectively prevents or quickly detects patient data loss or theft, even "snooping" by terminated employees.