Five Steps to prevent terminated and unauthorized employees from accessing sensitive data

By Adam Bosnian – Director at Cyber-Ark

Redundancies and corporate re-organisations are an unfortunate reality in today’s economic climate. Too often, businesses leave themselves vulnerable to a data breach or serious security incident during the redundancy cycle by not immediately revoking the network and application access points of terminated employees.

Security threats from inside the organisation are not a new phenomenon, but layoffs and economic uncertainty can significantly exacerbate the problem. A recent Cyber-Ark survey, “The Global Recession and its Effect on Work Ethics,” found that 71 percent of the employees surveyed declared they would definitely take company data with them to their next employer. The study further stated that "Top of the list of desirable information is the customer and contact databases, with plans and proposals, product information, and access/password codes all proving popular choices.” Moreover, the “Jobs at Risk = Data at Risk” survey published by the Ponemon Institute, found that 59 percent of employees who were laid off, terminated, or who quit their jobs in the last 12 months admitted to stealing company data, and sixty-seven percent admitted to using their former company’s confidential information to leverage a new job.

When a security incident of this nature occurs, we tend to file it away as an example of an “employee gone bad.” In reality it constitutes a failure of the organisation to uphold their responsibility on behalf of the business to manage, control and monitor the power it provides to its employees and systems. At a basic level, the organisation and its management has a fiduciary responsibility to ensure that access to critical information and applications is authorised and that it is continually monitored to make sure the resulting activity is authorised as well. The failure stems from the ‘perception of control’ an organisation has over their most sensitive networks, systems and devices.

The threat to an organisation is increased exponentially when the access is through administrative, shared or privileged accounts – these represent the most powerful IT users in an organisation, often providing wide-ranging access to most systems, application or database within the enterprise. These privileged identities, which exist on virtually every one of the thousands of servers and applications within a typical enterprise, very rarely get changed, due to the presumed extra IT effort involved and the need to communicate the new settings to the IT staff, which if not done effectively could potentially impede or slow down an administrator doing a time-critical task.

This type of uncontrolled access can lead to dire situations. In fact, failure to control these privileged identities led to two of the more critical security incidents in the past year. Last year, the city of San Francisco was brought to its knees because an employee locked down the city’s IT system through a privileged account. And more recently, a Fannie Mae employee implanted a logic bomb on the company’s network because access to his privileged accounts was immediately revoked upon his termination.

If you’re concerned about this happening at your organisation, here are specific steps you can take to help prevent severe security incidents:

  1. Improve internal security controls around privileged accounts via encryption, password protection, and auditing of system access;
  2. Reduce the risk of internal data misuse by implementing policies and technologies which provide special treatment for privileged identities and ensure compliance with regulatory requirements;
  3. Ensure administrative and application identities and passwords are changed regularly, highly guarded from unauthorized use and closely monitored, including full activity capture and recording;
  4. Avoid sloppy habits when exchanging privileged and sensitive information, such as sending sensitive or highly confidential information via email or writing down privileged passwords on post-it notes;
  5. Ensure provisioning, and more importantly deprovisioning of user access in an immediate timeframe after employee status or role changes.
Remember, trust is not a security policy, and the damage that insiders can do should not be underestimated. To thwart this threat, the first big step is making that key decision to effectively manage these privileged accounts, and then doing so in a streamlined manner that makes it efficient and transparent to the user. Streamlining the management of privileged accounts by controlling who has access, when access was gained, what is being done with the sensitive data and why access is needed is critical in preventing a major security incident from occurring at your company.

The Author, Adam Bosnian is the Vice President of Products, Strategy and Sales at Cyber-Ark Software. He is responsible for the global product and business strategy of the company as well as for managing the North American sales organization and growing the business in this area.

For more information visit

Cyber-Ark on stand H90 will be exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th – 30th April in its new venue Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit

Courtesy: Eskenzi PR