As I mentioned two weeks ago, a recent survey indicates that more than half of large companies have limited knowledge of which systems or applications their employees have access to.

This marks a system access problem, and a growing risk during a period of frequent and large layoffs.

If a company needs to turn off access manually (which is often the case), it may miss several user accounts that they don’t realize exist. This leaves the door open for past employees, and others, to access important data, including financial information and customer information.

To learn more about these open-door system risks, I asked Courion vice president Kurt Johnson about his firm’s research.

Eric Krell: Your research shows that the average employee holds 15-20 user accounts, both within as well as outside a company’s computer network. That sounds alarmingly high to me when I think about how many layoffs there have been in the past 12 months. Are there certain types of employees (IT? IT-finance), levels of employees, or types of access that generally pose the greatest risk based on their system access?

Kurt Johnson: Yes, it is definitely a staggering number and driven by the fact that more and more information is going online, whether that’s patient data in healthcare, financial data in financial services, credit card data in retail, and numerous other types of company-specific sensitive information. The lack of centralized knowledge of these accounts and the lax controls around them is even more staggering, especially when you think about how many layoffs we’ve seen recently. IT managers are dealing with an overwhelming volume of terminations that need to be addressed. In fact, the U.S. Labor Department recently revealed that 467,000 jobs were lost in the month of June alone. The unemployment rate rose to its highest level in 26 years. If the average employee holds 15-20 user accounts on a given company’s network, this means that access to up to 9.34 million user accounts needed to be shut off last month.

In terms of types of access or job functions that pose the greatest risk, anyone that has access to a company’s most sensitive data stores — for example, intellectual property, customer databases, or trading system codes — is of course the highest source of risk. In addition, those employees with privileged access, whether they are systems administrators, security professionals, “super users,” or even executive management, obviously have the most access to critical data. In this case, it is even more crucial that an automated access management system is in place to report on which systems they are accessing and to determine whether that access is warranted or inappropriate.

EK: Why do so many former employees maintain access to the system?

KJ: Often user names are so cryptic that it is difficult to map these back to a specific person. And as the resources of many IT departments are stretched thin, careful management of appropriate access often slips through the cracks. That is why automating this process is so important. If IT managers by and large are not aware of the access their employees have, it’s unlikely they can shut off all access points, even if they express confidence that they have done so. Sometimes IT is not even notified that employees have left the organization until days or weeks later.

Our survey also found that only 59 percent of respondents use any form of automated provisioning/deprovisioning, and even then it’s not used for all systems in the enterprise. In the case of a company that has mass layoffs including hundreds or thousands of employees at once — for example, Citigroup laid off 50,000 employees in November 2008 — if these accounts need to be deprovisioned manually, it can take an extraordinary amount of time to accomplish. And that’s assuming the IT staff can pinpoint every single open user account for those employees. Our research shows that almost one in 10 companies can never be completely certain that terminated employees no longer have access to IT systems.

EK: What are real examples of the damage that can be done when companies fail to address this risk?

KJ: As recently as last week, there have been two high-profile cases in which financial firms Goldman Sachs and UBS AG have brought charges against former employees who stole proprietary trading system source code. Earlier this year, the California Water Service Company endured an insider breach when an ex-employee who had just given his notice returned to his office after-hours and successfully transferred $9 million to offshore bank accounts in Qatar using his old password to access privileged accounts. And in June, it was reported that Energy Future Holdings, a large, privately held energy company in Texas, sustained an estimated $26,000 in damages related to lost business when, after being fired and escorted off the premises, a former employee apparently used his still-active account to gain access to the corporate VPN, where he emailed proprietary data to a personal email account on Yahoo! and modified or deleted various files in the corporate network.

In 2008, LendingTree reported that former employees who had access to still-active “zombie” accounts — accounts that remain active after employees have left the company — were illegally accessing mortgage applications and even selling user names and passwords to mortgage lenders. The data breach harmed the credit scores of numerous consumers and prompted several class-action lawsuits.

Also last year, in one of the most famous cases to date, Société Générale was breached when an employee who had access to many different systems and accumulated numerous authorizations allegedly used the computer logins and passwords of colleagues in the trading unit and the technology section to hack into several computer systems and circumvent credit and trade-size controls. Because the company likely did not have effective controls in place to control privileged access to systems and applications, it was hit with $7 billion in losses. ###