Security Strategy is often overlooked when an employee leaves

An excellent article in the FT by Alan Cane

The departure of an employee, or several employees, was once a low-key affair. Today, a combination of regulation, compliance, the internet and mobile technology are conspiring to make it one of senior management’s most serious headaches.

“It’s been a problem for a long time but it’s getting worse and worse,” says Deepak Taneja, chief executive of Aveksa, a company based in Waltham, Massachusetts, which automates the monitoring of access rights.

“Managements now realise that inappropriate access cannot be taken lightly.”

Omar Hussain, chief executive of Imprivata, a provider of authentication and access management services, based in Lexington, Massachusetts, puts it more pithily by referring to the millennium software problem which cost most companies time and money to solve: “Compliance is the next Y2K. It just doesn’t have an expiry date, so everybody has to deal with it.”

He tells the story of an employee who resigned to take a job in another US state. Years later, when the former staff member returned to work for her original company on a freelance basis it was discovered she still had the access codes for one of the company’s business partners. Nobody had remembered to render them invalid.

The take-home lesson is this: many employees leave on a perfectly amicable basis but unless there are business processes in place to ensure that decommissioning is rigorous and effective, such security lapses are inevitable: “The biggest problem is that people do not know that an employee has left,” Mr Hussain says.

“There can be so many systems involved that it becomes impossible to keep track. The time lag between the employee leaving and the IT department cancelling all their passwords can be days to weeks to months to never.”

It is a very common problem says Ellen Libenson, vice-president, product management for Symark Software of the Agoura Hills, California, a specialist in security administration: “It is still very disturbing when you hear from auditors that they are finding 75 to 100 open accounts for employees that have left the company – and some of those employees were fired.” Accounts being left open implies access to credentials and passwords. “The more technologically savvy the person is, the greater the risk.”

An employee who moves through several departments in a company – finance, marketing, human resources and so on – can be a serious headache when they leave because of the access privileges they accumulate.

Unless a central database of their accounts has been maintained, it can be difficult or impossible to discover which of their privileges remains valid.

Andy Lark of LogLogic, which provides log data management from its base in San Jose, California, says: “Over the lifetime of an employee, there may not be a central repository of what the employee had access to or was accessing and so the ability to conduct a Google-like search of all your IT structure to show all log-ons and log-offs by this user on all devices over a period of time is critical. It enables you to close those small back doors that have been opened over time without IT’s knowledge.”

When employees leave involuntarily, things take on a darker hue.

Stephen Bishop, production director of the UK-based network security company IDsec, emphasises the threats that can arise when key members of staff leave with little or no warning – in one case leading to near panic while an ad hoc security audit was carried out and the business lay idle.

Mr Bishop notes: “The obvious worry is that the person on the way out knows a large number of administrative user-name password combinations and other credentials.

“But does anyone else know the complete set of critical passwords or at least have access to a sealed envelope containing those for use in an emergency.”

Mr Bishop advocates preparation and planning: “Perhaps a good way of starting is to sit at your desk, close your eyes and imagine your systems manager being run over by a bus (later on, it may be a nice idea to imagine the person making a full recovery in hospital).

“Then think of all the things that could go wrong but with no one available to fix them. This should help focus the mind and provide an incentive for doing some preparation.”

Extensive planning is also a prerequisite for Don Aviv, chief operating officer for the New York based consultancy Interfor, who has personal experience of 3,000 lay-offs, terminations and renewals when dot.com companies were shedding staff in the early 2000s: “It became a little bit of a science to do it as well as possible.”

Mr Aviv advises that a decommissioning group should be set up with representatives from finance, human resources, corporate security, IT and somebody from the executive board “who has the best interests of the company in mind”. They should consider each case. He says this should apply to single lay-offs as well as mass terminations.

Decisions have to be taken early about compensation, security and the position of the individual in the company: “Is the person a high level IT specialist who will cause concerns when his or her access is cancelled? In the US we would do a legal analysis, so a member of the legal department has to be present and that person has to be a labour law specialist.”

After the team had satisfied itself that the individual could legally and properly be laid off, it would, without the individual’s knowledge, make a physical copy of their hard drive, backing up all the material stored there.

The IT representative on the group should have a list of all the technical assets held by the employee – laptop computer, e-mailing device, mobile phone, keys, access cards and so on.

The next stage, Mr Aviv said, is to train the employee’s manager in the proper decommissioning procedures: “In the US, it’s important to formulate your message in a specific manner, so that you are first giving all the appropriate information and second, answering all the questions and not laying the company open to litigation.

“Then we use all our information to come up with a severance package. As a security professional I can tell you this is the single greatest mitigating factor on how to avoid long term litigation or violence, whether it be workplace violence or some kind of retribution.”

Clive Longbottom of the international consultancy Quocirca agrees that, decommissioning can be a nightmare: “With a high proportion of leavers being either disaffected, and so not averse to creating some havoc for the company, or moving on to a competitor, it is becoming more important to ensure that intellectual property is managed and secured at all times.”

He advocates the use of automated systems to ensure that all the necessary decommissioning processes, including the return of communications and recording equipment, are properly carried out: “The overall aim is not to make sure a few thousands dollars worth of kit is retrieved, but that a few million dollars worth of intellectual property is kept safe.”

He warns, however, that it is impossible to prevent this entirely: “Employees will always walk away with their inherent knowledge and it is impossible to stop them making notes at home on areas that could be important for their next job.”

Which is why Simon Viney, a senior consultant with Ernst & Young in London, considers it a mistake to think that an employee is most dangerous on the point of leaving: “In reality, that danger has existed throughout the employee’s time with the employer,” he argues.

“Organisations must realise they have to control access to sensitive information at all times,” he notes, going on to suggest: “Consider how your organisation’s identity and access management processes limit access to IT systems to the minimum people required to perform their business function and support the complete, and rapid, revocation of employee access where required.

“Do you really know at all times what information systems a particular employee has access to? Certain tools and technologies can assist in this area such as identity and access management products.”

He says these tools are only as good as the processes they support.

In fact, all the automated tools which can be brought to bear on the decommissioning process are only as good as the processes they support.

It is now a fact of business life in these turbulent times that the first requirement is ceaseless vigilance.