90% of users still have access to old work accounts

No one is ever truly gone if we remember them … or if we forget to revoke their access. 

According to a survey by Intermedia, 89% of users retained access to accounts from previous places of employment. And 45% said they still had access to “confidential” or “highly confidential” work data from previous jobs.

Think they’re full of hot air? Think again.

Half (49%) of respondents had successfully logged into former work accounts after leaving.

Have an exit plan

It’s absolutely critical that IT is kept in the loop on personnel decisions, whether employees leave amicably or not. Otherwise, accounts may remain open and credentials could be valid long after they should be.

Make sure these policies cover:

  1. Revoking cloud accounts. While it can be easy to tell who has access to company email or network logins, the cloud often exists outside of IT’s framework (or knowledge). Have a running list of every cloud service in use, and make sure credentials are revoked for them when users leave.
  2. Accounting for shared credentials. Users shouldn’t be sharing passwords and logins for sites, but that’s not to say they don’t. First and foremost, make sure these shared credentials get updated passwords when employees leave. Then move onto explaining why they’re a terrible idea.
  3. Being kept in the loop. IT should be just as aware of personnel changes as HR is. If the step of notifying IT about personnel decisions right away isn’t in your policies, update them immediately.
  4. Finding gray areas. Sometimes workers aren’t simply employed by the company or not. Some remain on the payroll as consultants or contract workers or put work in here or there after mostly retiring. It may be hard to tell at  what point these users have truly left the company. Best bet: Review who has access periodically and check with department heads to find out if it’s still needed. And remember that it’s better to be safe and revoke access only to allow it later rather than to find out it had never been revoked at all.
  5. Requiring regular password changes. This security step will help keep you compliant. It’s a good catch all: If a password hasn’t been changed and expires, it’ll prevent former employees from seeing if they can reach back into your systems months or years later.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy