Ghosts of millions of former workers populate the databases of corporate America. The workers have moved on, but their ghosts linger, awaiting a hacker intent on using the ghost’s identity to damage the company’s network systems.
These electronic ghosts include former employees and contractors who are no longer on the payroll but still have access to company resources, systems, and accounts.
Jeff Drake, an information technology veteran for more than 17 years, has some tips for IT managers on how to “exorcise” these ghosts to protect the company’s vital data. Drake is Access360’s executive vice president of corporate planning and strategy. A founding officer of Access360, Drake serves as the frontline strategist in the access management and provisioning markets of the company.
“This is a dramatic problem,” Drake said. “We've all worked for various companies throughout our careers and we all have had continued access to information well beyond our tenure.”
“Most companies will not share information regarding the result of 'misuse' of this information, which can range from an ex-employee or consultant who is now working for a competitor and gaining access to information to disgruntled ex-employees who intend to cause great harm.”
Drake said one of the first steps to take is to compare valid employees with the access rights currently valid on each system. Drake has found as many as 30 to 40 percent of valid accesses are attached to former employees.
Exorcising the ghosts
Access360 is in the business of managing such problems. It has developed a Top 10 list of items for IT managers to utilize to prevent ghost workers from accessing the system.
- Act, don't just react: Before you need it, establish a reliable system for assigning passwords and access to company resources. Use it to disable such access for multiple users immediately following a major layoff.
- Purge old users: Install or create a system for quickly checking for and deleting out-of-date passwords and/or inactive users.
- Open the lines of communication between your IT and HR departments: IT will need to have advance notice of pending layoffs or restructuring in order to determine which accounts should be disabled.
- Need to know: Determine—based on job function, seniority and/or other predetermined company roles—who needs to have access to which company resources and why.
- Identify shared passwords: Don't forget your company's vendors and contractors—and the relationships these parties have with other outside parties. All of these individuals could be sharing access via a password assigned to an internal corporate employee or via a separately assigned code. Make sure the systems account for these users.
- Perform routine recycling: Smart companies have an automated system for changing or updating passwords on a regular basis, ideally every quarter.
- Make nondisclosure contracts routine: Establish—and enforce—a nondisclosure contract signed on the date of employment. Explain to corporate employees the consequences of hacking and sharing company resources and data.
- Give employees time: At the time of a layoff, enable workers a designated timeframe to download personal data before shutting them out of the system. Preventing someone from saving personal e-mails or contacts only breeds more hostility.
- Track user data: Use software that tracks user data. It is a trail of evidence you might need to prove a cybercrime.
- Operate out of opportunity rather than fear: Remember that open doors (to information, resources, etc.) are vital to business success, but you must be able to shut that door quickly when an insider becomes an outsider.
Don't underestimate the problem
“I strongly believe that corporations and government agencies grossly underestimate this problem mostly because there is no way to monitor the problem,” said Drake. “Hackers are rarely the risk; it's the valid users who are no longer employees.”
Chris Christiansen, program vice president, eBusiness Infrastructure and Security Software for IDC, estimates that more than 60 percent of most corporate application directories contain ghost workers or obsolete accounts for ex-employees, contractors, or temporary workers.
“They can gain unauthorized access to customer accounts, sales leads, and customer-confidential information. They can continue to use infrastructure that represents a cost to the corporation,” said Christiansen. Plus, the ghost workers can supply account names and passwords to other individuals with criminal intent.
“They can impersonate another user, thereby gaining inside information, spreading gossip, slandering other innocent employees, and misrepresent themselves as corporate spokespeople to external news sources,” said Christiansen.
Christiansen said that it is important for IT departments to have a written policy and a process that deals with terminated employees and other individuals that had network access.
Also, in addition to installing software that automates the process of granting, changing, and revoking user access privileges, IT managers should consolidate, or at least condense, the tens of directories that most companies have in numerous locations, divisions, and units.
“Reconcile user names in these directories. Map these user names against access rights to networks, applications, and data. Gradually automate this review process and move towards actively managing and reviewing current employee's privileges,” said Christiansen.
Have you experienced problems with ghost workers?
What steps have you taken to eliminate the problems caused by ghost workers? Send us some mail or post a comment to this article.