Ex-employees pose a major threat to security

With a greater percentage of business being conducted over the internet, more workers handling affairs from remote offices and an increasing amount of important company information stored on company servers, organisations are vulnerable to misuse of their digital information or resources by former staff. To help companies avoid financial loss and embarrassment caused by these actions, @stake has offered a set of guidelines that it says should limit the risk.

Failure to disable passwords and accounts, relaxed rules for the return of company laptops and the exploitation of ex-colleagues' multiple-user accounts are all identified as potential security holes.

Royal Hansen, practice director Europe @stake commented:

"It's no secret that, in the past, companies may find that a few pens, folders or even a laptop may go missing as an employee is shown the door. Today, we are increasingly finding that, as well as physically clearing their desk of its contents, employees are emptying their former company's documents, databases and spreadsheets of confidential data, long after they have left their company car keys behind.

"Companies can greatly reduce this threat by taking a few sensible steps, such as ensuring accounts are shut-off as soon as a member of the company leaves and making regular checks on their network perimeter to log all connections. These simple measures should deny access to the majority of non-technical ex-employees who may be tempted to use company resources and subscriptions at great expense to the company.

"Most importantly, this vulnerability highlights that IT security is predominately a people issue, rather than a product issue. Costly security measures will do little to prevent the risk of ex-employee's compromising confidential data, compared to having an agreed policy in place that can be implemented as soon as an employee leaves a company. We have outlined a set of realistic measures that should help companies protect data and resources from disgruntled individuals."

Guidelines by @stake to limit the threat from disgruntled ex-employees:

• Patrol your perimeter - Companies should regularly make security checks on their network perimeter, building a log of all the connections. Armed with this knowledge, as soon as a member of personnel leaves, the company can identify the holes in the network that need to be closed-off.
• Roll-call of company equipment - Laptops owned by the company give employees an excellent tool to start their attack. A regular stock-take of all IT equipment and the member of staff borrowing the equipment will make it easier for a company to identify the equipment to re-call after staff cutbacks.
• Check for unofficial accounts - Employees may have set-up their own accounts, other than those allocated by the company, which may go unnoticed when the employee leaves. A regular inspection will alert the company to any new accounts.
• Terminate user accounts - Companies should have a routine of simply turning-off access to a user's account once they are no longer employed.
• Disable passwords - Companies should have a policy of expiring the passwords of employees immediately after departure.
• Careless talk costs - There should be a realistic policy in place to ensure employees do not pass-on updated passwords to ex-colleagues or allow them to share a multi-user account. Companies should ration multi-user accounts to situations where business benefits outweigh security risks.
• Work together - The IT manager should work with other relevant departments, such as Human Resources, to ensure the smooth implementation of a planned IT security procedure.