Whether employees are moving on to pastures new, or are being let go by their company, the leaving process must ensure that corporate data security is maintained.
Handing over IDs and building access cards when leaving an organisation is a familiar process, and it’s also common for such things as door security code combinations to be changed when an employee leaves. But what about shared company logins for applications, such as Twitter or Facebook, or shared accounts for supplier ordering systems? Those passwords are probably not changed very often, if at all. Also, what about an individual’s access to the company’s CRM system and cloud-based or on-premises e-mail?
If an employee that has been let go has a grudge and feels like revenge, it is vital that the business can efficiently revoke access to systems and applications as they leave, but to do this they must know what they had access to in the first place.
‘Social’ Security
For those employees that might be looking for revenge on previous employers, logging into accounts, accessing sensitive files and wreaking havoc with confidential corporate data is a very real possibility. With access to a social media account, such as Twitter, previous employees have the potential to seriously harm a company’s reputation with customers, prospects, shareholders and the media. If employers do not ensure access is revoked when an employee leaves, the organisation is open to attack, embarrassment and potential reputational and financial damage.
January 2013 provided a prime example of how damaging access to a shared account can be. A disgruntled HMV employee took to the corporate Twitter account to vent their frustration at being let go, presenting a very different side of the business to more than 63,000 followers. Given the sensitive subject of the tweets, and the potential for perceived flaws in HMV’s Human Resources process to be made public, this shows exactly the sort of nightmare that keeps business executives up at night.
Password Sprawl
Memorising multiple sign-ons is an onerous task for users, as is keeping track of who has access to what for their company. Employees all too readily share passwords and log in information, and organisations struggle to manage the security of shared passwords. Typically when somebody leaves, it is very difficult to trace which employees have access to which resources, and this situation has been magnified by the use of various cloud-based SaaS applications as well as existing internal systems.
Handing out log in information to each employee that needs access to a shared account leads to headaches when changing the password. For the sake of one person leaving, the password must be changed and remaining people notified (so they can then update the Post-it note stuck to the underside of their keyboard!). Meanwhile, there’s a good chance that someone will try to access the account using old credentials and lock everyone else out. This wastes company money, time and resources, and will inevitably reduce productivity.
It is far better that none of the people know the shared account password, but gain access based on their job role. Then, when someone no longer has the role, either after leaving the company or an internal move, they can no longer access the account.
To avoid employees having to remember multiple passwords and usernames, it makes sense to have a unified log in. In other words, a single username and password from which they are able to access the applications they need for their job role, from any device. Some of these applications may be “shared password” apps, such as the Corporate Twitter account already mentioned, and some may be the employees individual company account on SaaS applications, such as Dropbox or Office 365.
Businesses need the peace of mind that their information is protected and their reputation remains intact, and key to this is simplicity and consistency of management, reporting and audit. This can be accomplished using unified identity and a zero sign-on solution, which will ensure appropriate access and privileges to SaaS applications, internal applications, UNIX, Linux and Windows servers from the various workstations, laptops and mobile devices a user may work from.
When someone does leave the company, regardless of what terms it is on, disabling a single account will make the continued control and protection of company resources seamless and risk free.