Deprovision credential or risk ex-employee sabotage

In cybersecurity, so much attention is given to threats originating from outside a business, it’s easy to forget the ‘devil you know’ – employees gone rogue. These cases, perpetrated by someone an organization knows and trusts, are known as ‘insider attacks’. The most high-profile example of such an attack is easily Edward Snowden’s exfiltration of NSA documents detailing US surveillance programs –  and we all know how that has played out.

Insider attacks can be devastating, particularly if the employee worked in IT, as the culprit is using legitimate log in credentials with wide access across the business environment, including to its intellectual property, finances, customer information, critical systems, etc. This unfettered access, when coupled with the technical skills to cover up tracks, can bring a business to its knees.   

The motivations behind an insider attack are varied. Whether for financial gain, whistle blower activism, or blackmail, the result is the same – your business had a blind spot and that’s been used against you. 

This post will focus on one particular variant of insider attack because it is not only the most devastating, but it is also the easiest to mitigate: Ex-employee sabotage.

Unfortunately, not every parting of ways is amicable. If an employee has been fired, they may harbor feelings of resentment and a thirst for revenge. Now, you would think once an employee has left an organization that their user credentials would be deleted. In a perfect world, this would be the case, however due to a disconnect between HR and IT, this doesn’t always happen.    

A recent survey of 500 US companies found almost 50 per cent of the businesses knew of former employees that still had network access. In fact, the same survey found that 20 per cent of businesses had suffered a data breach as a direct result of the failure to deprovision log-in details. 

In the past few years there have been multiple cases of aggrieved ex-employees using their old access credentials to sabotage their previous employers. This mix of insider knowledge, unfettered access and lust for revenge is a potent combination. Not only does the attacker know your processes and how best to disrupt them, they have the means and desire to do so. 

Making matter worse, if they worked in IT they may have the ability to set up backdoors using new accounts or system accounts with full remote VPN access. By doing so, they can maintain access almost indefinitely, and can cause serious damage if they choose to do so.

This happened in 2015 when an ex-employee of Smart Online Inc. deleted much of the company’s intellectual property after leaving the organization. Again, in 2016, several days after the termination of his employment, a systems administrator for a large manufacturing company remotely accessed the plant’s computer system and transmitted code and commands which resulted in significant damage to the plant’s operations. 

These examples show that while processes are in place to provision new employees, deprovisioning ex-employees isn’t as high a priority. The HR and IT departments must communicate, and policies need to be in place to mitigate the risk of ex-employee sabotage.

If you’re reading this post now and are a business decision maker, ask yourself if deprovisioning employee access is baked into your policies. If the answer is “no”, or you don’t know the answer, I’d suggest either a rapid rethink of internal policies or immediate calls to HR and IT. 

While the saying goes its “better the devil you know”, these are the devils that know how to hurt you the most.


On 2017-10-23

Popular Posts

Privacy Statement | Terms of Use