Businesses leave themselves open to potential data
breaches through their ex-employees by failing to disable their access to the
corporate network, according to a new study by OneLogin.
Over half (58%) of ex-employees are still able to
access all corporate applications after leaving the business.
Furthermore, this is a proven risk, with 24% of
businesses being subject to data breaches carried out by former employees.
The UK-based report, based on responses from more
than 600 IT decision-makers, revealed that half these respondents were not
using automated deprovisioning technology to disable employees’ access.
The fact that the majority (92%) of businesses
attempt to manually sever access may explain why a month after leaving the
business, 28% of employees are still able to log onto corporate applications.
Alvaro Hoyos, chief information security officer at
OneLogin, said: “Our study suggests that many businesses are burying their
heads in the sand when it comes to this basic, but significant, threat to
valuable data, revenue and brand image.”
This study follows OneLogin’s recent acknowledgement that it is unable to guarantee the
security of encrypted data compromised by a cybercriminal, with regard to the security incident on May 31.
The report stated: “We know that a threat actor
used one of our AWS keys to gain access to our AWS platform”, and made
reference to an “ongoing investigation” with “an independent security firm to determine
how the unauthorized access happened”.
Hoyos suggested that the upcoming General Data
Protection Regulation (GDPR) might put the necessary pressure on businesses, stating:
“With [GDPR] in mind, businesses should proactively seek to close any open
doors that could provide rogue ex-employees with opportunities to access and
exploit corporate data.
“The first step is acknowledging the problem, which
businesses now have done by confessing they are aware of the issue. They now
need to take steps to fix this issue by utilising the available tools”.