Might your ex-employees still have access to corporate data?

Are you sure your former colleagues don’t have access to corporate data or systems?

Are you sure your former colleagues don’t have access to corporate data or systems?

How confident are you that your former employees no longer have access to corporate information? As practice shows, this isn’t an irrelevant question. Recently, our colleagues analyzed how well small and medium-sized businesses (SMBs) are prepared for cyberincidents in an unpredictable world. The study found that nearly half of the SMBs surveyed were not 100 percent sure that dismissed employees could not still access their business data through cloud services or corporate accounts.

What harm can an ex-employee with access to corporate data do?

If an ex-employee still has access to work services or information systems, they could do plenty of harm to their former employer – should that float their boat. SMBs usually worry about fairly phantom threats, such as a former employee using corporate data to launch their own rival business or taking a job with a competitor and stealing the company’s customers. But in terms of business damage, these are way down the list.

If an ex-employee has access to a customer database that contains personal data, what they could do is leak it into the public domain (for example, as revenge for dismissal) or sell it on the dark web. For a start, that would damage the reputation of your business. Second, it could jeopardize your customers, who might take legal action – if not for damages, then at least for having their personal data leaked. Third, you could receive a hefty fine from the regulators. This latter one depends of course on the laws of the country where you operate, but there’s a growing trend worldwide toward tightening the penalties for leaks of this kind.

Potential problems without malicious intent

Some issues are not the result of scheming ex-employees, or even direct leaks. An ex-colleague may not even remember they had access to such-and-such resource. But a routine check by those same regulators might reveal that unauthorized persons do in fact have access to confidential information, which would still result in a fine.

And even if you’re absolutely certain you parted ways on good terms with everyone, that doesn’t mean you’re out of the woods. Who can guarantee they didn’t use a weak or non-unique password to access work systems, which attackers could brute-force or come across in an unrelated leak? Any redundant access to a system – be it a collaborative environment, work e-mail or virtual machine – increases the attack surface. Even a simple chat among colleagues about non-work issues could be used for social-engineering attacks.

How to minimize the risks

Most of the measures to combat data leaks through ex-employees’ accounts are organizational. Thus, we recommend:

  • Minimizing the number of people with access to important corporate data.
  • Setting strict access policies for corporate resources – including e-mail, shared folders and online documents.
  • Keeping a strict access log: record what access was granted and to whom. Revoke it immediately if the employee leaves the company.
  • Creating clear instructions for creating and changing passwords.
  • Introducing regular cybersecurity awareness training for employees.