When an employee leaves your businesses, are you letting them walk out with access to valuable company data?
According to the 2014 Intermedia SMB Rogue Access Study, 89% of employees who leave a company retain access to business or cloud applications like Salesforce, PayPal, email and SharePoint.
That's a scary figure. We've written a lot about IT security lately, but statistics like this make us think that this level of coverage is warranted.
When a member of staff leaves your business, you must have a way to revoke their access to all your resources. Failure to do so just invites disaster.
Ex-employees are actually signing in
Of those people questioned for the research, 49% had actually signed in to an ex-employer's account, despite having left the company.
Most of these people probably act out of curiosity, rather than malice. But they still have access to apps that may contain important company data.
A minority will almost certainly be intending to do harm to their former employers. It only takes one person to cause you all sorts of problems.
You could be looking at hefty reputational damage, a loss of competitive advantage — or even a big fine from the Information Commissioner.
Security begins at work
“Most small businesses think 'IT security' applies only to big businesses battling foreign hackers,” says Michael Gold, president of Intermedia.
“This report should shock smaller businesses into realising that they need to protect their leads databases, financial information and social reputation from human error as well as from malicious activity.”
You can start by putting some proper procedures in place to control and revoke access when employees leave your company. These are some good starter tips:
- Record who has access to what. You can't be sure you've revoked everything unless you know what each employee can access. If you rely on apps with separate usernames and passwords, it's particularly important to keep an up-to-date list of who has access to what.
- Don't share usernames and passwords. Some cloud services charge extra for each user, so it's tempting to have one generic username and give everyone access. Bad idea: every employee who leaves will know the username and password.
- Have an 'offboarding' process. You probably have a standard procedure for when people join your company. But do you have a similar set of steps to follow when someone leaves? If not, it might be an idea to put a checklist together.
It can be trickier than you might expect to get a handle on who has access to what in your business. However, once you do so, you can be more confident of retaining control over your most important data.