IT departments have to handle a lot of potential security risks: passwords, endpoints, shadow IT, etc. Implementing and managing procedures and technology to protect the business while also ensuring everyone—from employees to customers—has the access they need is challenging. Administrators are focused on giving new employees access so they can start working and addressing new access, password, and other requests from existing employees to keep them productive. So maybe it’s not a surprise that de-provisioning employees who have left often takes a back seat.
Ex-employees still have access
One in twenty organizations reported they have no way of telling whether people who left their organization still had access and 32 percent of companies reported taking more than a week to deprovision an employee who has left. In another survey, over 13 percent of people reported they could still access a previous employers’ systems using their old credentials.
Failure to deprovision leads to costly breaches
Relying on the good faith of ex-employees turns out to be a bad idea. In OneLogin’s survey, 20 percent of the respondents reported that failure to deprovision employees from corporate applications contributed to a data breach at their organization.
Companies like Transformations Autism Treatment Center (TACT) have experienced the cost of a failure to deprovision. When behavioral analyst Jeffrey Luke was terminated, TACT took his hardware and changed his email login address. But it failed to realize that Luke had access to a cloud storage drive—which the analyst used to steal patient records after leaving the company.
The impact for companies is huge: an average cost of a breach is $148 per record and $3.867.91 million per breach in the U.S. Breached companies underperform the market for years, and 60 percent of small businesses fold within six months of an attack.
Why does IT fail to deprovision?
With so much at risk, why do organizations fail to offboard employees quickly? It’s a combination of factors:
- It’s hard to keep track of all the apps and systems employees use
- Shadow IT means employees may have access to apps that IT doesn’t even know about
- IT departments are often understaffed and underfunded
- Getting new employees provisioned and keeping employees productive takes priority
- Deprovisioning is time-consuming—especially when you have to offboard users one app at time
Cleaning up the deprovisioning process
At its core, the problem is a technology one. As a company grows, it’s nearly impossible to track all the apps used by employees, contingent staff, vendors, etc. That’s why saavy organizations use identity access management (IAM) tools. With a good IAM solution, one that integrates with all the organization’s HR and other directories, administrators can track apps with minimal effort. In addition, an IAM lets IT onboard users to the appropriate apps based on role, and then offboard with the flip of a switch.
Given the enormous potential cost of a breach, IAM is an investment that organizations are increasingly willing to make.