With the average enterprise using 288 different cloud applications, the task of provisioning and deprovisioning user access has become increasingly complex. Manual user provisioning, whether led by HR, IT, line managers, or a combination of personnel and departments, can slow onboarding and cost time and productivity. However, the business cost of manual deprovisioning can be much more significant for an organisation if employee access to applications is not revoked and they retain access to corporate data after they have left.
Manual deprovisioning frequently fails to fully offboard users from all corporate applications for a variety of reasons. The sheer number of cloud applications poses the largest problem, but Shadow IT (the use of resources without the knowledge of oversight of the IT department) clouds the issue further - employees cannot be manually offboarded from applications the organisation has no knowledge of.
Combined with the heavy workload and responsibilities of IT departments and the time-consuming nature of deprovisioning users, former employees frequently retain access to corporate systems long after leaving their job. According to a survey of 2,000 desk-based workers in the UK and US, over a third of employees remained able to access systems or data after leaving a company, incurring significant costs for their former employers.
Wasted corporate spend on unused software is a significant problem for many businesses, with large enterprises paying an average of £6.1 million per year on under and un-used licenses. For any application which requires a subscription on a per-user basis, orphan accounts which remain active due to a failure to deprovision continue to drain company resources for these unused licences and contribute a significant amount to this wastage. Without automatic deprovisioning, these accounts can easily be missed by individuals responsible for the offboarding process, particularly if the business has a lack of visibility over the full number of applications being used by its employees.
In some scenarios when employees leave an organisation, the relationship between employer and employee can become strained. One notable case in the UK took place when a disgruntled former employee of Jet2 deleted a folder containing user account details after leaving the business, denying access to the network to over 2,000 members of staff.
The risks posed by these attacks can sometimes be unintuitive to those considering potential attack vectors, since the motivation can be purely disruptive rather than for monetary gain. However, with corporate data fetching a premium on the dark web, there can also be a financial motive, as was seen when Bupa were fined £175,000 after a former employee offered the personal data of over 500,000 customers for sale.
Former employees can also be motivated to access data from their previous job to advance their careers in their next role. In a recent Ponemon Institute study, over half of employees surveyed admitted to taking information from their former employer, and 40% said they intended to use it in their next job.
While employees who leave the business can always possess insider knowledge that can benefit competitors within the industry, the problem is greatly increased should ex-employees retain access to corporate systems due to a failure to correctly deprovision them from all corporate applications.
Due to the sheer number of applications used by enterprises, remembering unique, strong passwords for each of them is simply impossible for end users. In order to address this issue, employees frequently resort to poor security practices, including the reuse of passwords across multiple accounts.
This problem has wider consequences when employees retain access to applications after they leave the business. After leaving the organisation, former employees could have personal credentials compromised which are also used to access corporate accounts which have not been correctly deprovisioned. Lists of previously compromised credentials are frequently used by malicious actors to attack corporate networks in credential-stuffing attacks, and without effective deprovisioning, the potential attack surface, and therefore risk of a breach, is increased substantially – not only will the business face a cyber security risk from its current employees, but also from former ones.
Failure to correctly offboard users can also expose organisations to fines for noncompliance with regulations concerning data security. Most notably, the UK’s National Cyber Security Centre advises that to comply with GDPR regulation, businesses must ensure that access is “limited to those users who reasonably need such access to perform their function and removed when no longer needed.”
Failure to comply with these regulations has seen many businesses issued fines by the Information Commissioner’s Office, with the total for the financial year 2020/2021 reaching £42 million, a 1580% increase on the previous year.
With an Identity and Access Management solution featuring automated deprovisioning, organisations can ensure that users' application access is revoked when they are removed from the corporate directory. When the risk of human error in offboarding users is removed and the business has full visibility and control over user access, the risk of employees retaining access to corporate data after leaving their role is mitigated. This will have an immediate impact on reducing business costs by removing wasted software licenses, ensuring compliance adherence, and significantly mitigating the risk of a data breach.
Find out more about how Identity and Access Management can deliver automated provisioning and deprovisioning.