Networking

Some companies lax on terminating network access to departing employees

In a world that has had to become obsessed with data security, it's amazing how many companies are lax when it comes to terminating network access for departing employees. Take a look at these numbers from a recent survey.

I once worked for a company that had a strict policy on employee exits. When an employee was let go, he or she was physically escorted from the building minutes after receiving the news. This action supposedly served two purposes: one that the employee wouldn't have time to go back and copy important company data, and the other that the employee wouldn't go on some kind of shooting rampage.

But the same company that took those extra precautions ironically could take days to remove an ex-employee's permissions from the network.

Admittedly, it's a pain for network administrators to deactivate access to systems. In fact, in a recent blog on ComputerWorld, Mark Hall quotes a recent survey funded by Symark International, Inc. and conducted by eMediaUSA that reveals how lax some companies are in doing so:

The 850-plus responses to the poll showed these results:

27% of the organizations admitted that they had more than 20 orphaned accounts still active.

8% acknowledged that 100 or more ex-workers still had live accounts.

15% of those polled said those accounts had been accessed at least once after the individual had been terminated.

What's worse is that 42% say they don't even know how many orphaned accounts exist and don't know if they're still being used. Only 39% of the respondents said all accounts are closed upon an individual's termination and 12% said took a month or longer to do so.

One would hope that companies are a little more diligent with exiting IT workers, not because they're less trustworthy, but because they have deeper access to systems.

What's been your experience? Have you found you still have network access after you've been let go?

About

Toni Bowers is Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.

29 comments
whitfld64
whitfld64

It's true; HR is a key player in this process. At my co, one thing they do is they send a weekly SCRUB report to the IT Help Desk containing names and dates for all terminations that took place over the last 7 days. The IT Help Desk then takes care of reassigning, closing, deleting or disabling accounts and assets. Previously they were doing this with paper forms and it would often take as long as a month to get all the signatures needed. I developed a workflow application to automate this process. Most account information and hardware assignments are stored in our database and can be retrieved by using the Employee ID or active directory login, so my application can find most of this data at the database level. For items not stored here, the application uses the termination as a trigger to directly email the responsible parties (this comes in handy for the network/firewall guys). Automation has reduced the IT department's termination processing time from weeks to to 1 or 2 days and has greatly increased accountability and information sharing amongst the department; a win-win all the way around.

JohnMcGrew
JohnMcGrew

From a relative's company: The head IT guy was unceremoniously let go due to cutbacks. The cheaper subordinates left behind diligently disabled the departed's account, but did not take care to preserve all of the other vital information about the network that the former had accumulated and documented. Management was eventually forced to hire back the departed as a very expensive consultant to recreate the missing information.

bob
bob

Ahh, I live for the day when HR actually notifies me when someone leaves! Here it is left up to the individual managers to let the ID department know when someone arrives, changes, or leaves. Some are good at it, some only scream when a new employee can't log into the network. The saving grace here is that bi-weekly a report is run that notes all additions, changes, and terminations. Doesn't work for contractors, etc, but by diligent effort, I keep the accounts cleaned up. I keep a copy of every "retirement luncheon" notice, my field support team are very good about letting me know if someone has left, etc. But it would be nice if I didn't have to chase all these terminations down. And what we are looking at for contractors is that all contractor accounts will be set to expire in 90 days (I wanted 30) and if we don't get a notice they are still here, too bad, so sad.

dave.mcdonnell
dave.mcdonnell

We have a form on our intranet that employees should use when they resign. HR and the security administrators are then informed of the employee's leaving date. If the employee is sacked, or does not use the form, then the manager can submit the details. This works quite well. The HR and security people still need to update their applications. At some point we'll think about updating the applications directly.

hsmithdp
hsmithdp

When I first entered this company after the previous administrator. I went to Human Resources and together we went through the email, and Active Directory and removed all orphaned accounts. Some were over a year old. Since then we have published and practice a proactive exit checklist. For employees. Now when an employee is terminated the account is deactivaated during the exit interview. When an employee quits they are deactivated within 10 minutes,on average, of notification. If an employee does not show for work in 3 days or call in the account is deactivated.

hsmithdp
hsmithdp

When I first entered this company after the previous administrator. I went to Human Resources and together we went through the email, and Active Directory and removed all orphaned accounts. Some were over a year old. Since then we have published and practice a proactive exit checklist. For employees. Now when an employee is terminated the account is deactivaated during the exit interview. When an employee quits they are deactivated within 10 minutes,on average, of notification. If an employee does not show for work in 3 days or call in the account is deactivated.

jsaubert
jsaubert

As I am the person responsible for both adding new users and disabling old users I've gotten in the habit of checking our "Staff Table" (it's just a big Excel sheet that HR keeps) at least twice a week. They normally update that daily with retirements, terminations and department moves and new employees. What I really love is when someone asks me if "whoever" was removed from the system because they were fired 3 weeks ago and this is the first I've heard of it ... le Sigh. I mean really now, this is a law enforcement agency and we have acess to all sorts of records and federal databases, you think that they'd let me know if someone left the agency.

BALTHOR
BALTHOR

While you're waiting for the bomb threats just change the fired worker's password.

mwagner
mwagner

Our IT department is lucky to hear if someone leaves the company because HR forgets to tell us. Otherwise we are quick to deactivate accounts.

RFink
RFink

Before I was laid off, I put in a rule to forward my work e-mail to a personal e-mail account. I was still receiving e-mail six months later. They said some interesting things about me, but nothing worth suing over. The funny thing was, when the PHB changed the admin password he forwarded the new password (via e-mail) to everyone in the group which included me because they never updated the distribution list. :D

thutzler
thutzler

I know that my account at my last employer is still active. The person who took my place still uses it since the higher level IT admins have never seemed to get their account all the access it needs to do the work they are required to do. At my current company we have a policy to immediately disable a users in Active Directory as soon as we are informed of an employees termination. And we are good about doing that within minutes of getting the notice. The problem we have is in getting the notice. Managers will fire someone and often we don't know about it until we get notice that they hired someone new.

The 'G-Man.'
The 'G-Man.'

I remember a few years back after working for a lead org in the UK my Intranet Account was still active over 14 months after I left. I just happened to stumble across the login page when cleaning my bookmarks and to my surprise it still worked, full access to all corporate information. I wonder if they ever changed the administrative password for their servers..... ;-) Was glad I left.

Dr_Zinj
Dr_Zinj

Notification by the employee as to when they are leaving is the same as leaving the fox to guard the hen house - only the nice, ethical, law-abiding, and moral people will use it; the bad guys sure won't. Our facility is getting better at notification, but I still occasionally get notice that someone was terminated 6 months ago. /sigh

cisauditor
cisauditor

I am an IT auditor completing an access controls audit. The userID?s validation procedure can be tedious. If you are concerned about security and decide to reconcile HR?s personnel list to userIDs, assign the task to someone with integrity and tenacity. Since this exercise had never been performed, I did not sample the userIDs but reconciled every name on both list (every employee must have a userID to complete their timesheet). Overall, we were in much better shape than I had expected. (Finding only 4 invalid userIDs out of 1,500 was great!) My organization consists of four groups: two of 1,000+ and two totaling 500. Using Excel?s Data Pivot, I tried matched identical names. My success rate was between 25 and 75%. That was the easy part. The real work lies in reconciling different forms of the same individual?s name because userID - Jim Doe, HR personnel name - James Doe; name changes due to marriage or divorce; hyphenated married names; 12 pairs of individuals with the same first & last name. Additional problem were userIDs issued only so someone could have an email account (Exchange deficiency) and entire units privatized that needed system access yet were no longer on the payroll (make sure you completely reconcile both the HR and userID lists). The last part is contacting HR and/or the business units to get some definitive word as to the user's employment status. In our shop, it is the business units stated responsibility to contact both HR and IT about employee departures which seemed to be working. It?s the non-entity workers where the system failed ? contractors, interns, volunteers, and workers paid through grants. Because they were not paid by us, the business units had no paperwork to complete, and therefore, IT was never contacted. These non-entity workers will also introduce other security issues into the mix. They are often not using our equipment which means that the client is old to the point of security obsolescence, not updated and/or patched (including cards), no security suite, and unknown (Apple & Linux). Lastly, no matter how assured you are of the userID?s demise, do not immediately delete the account. Disable the account and delete in 60 days if no further activity.

Menace65
Menace65

They are the number one reason why some accounts are still active after an employee has been terminated. They just don't *get* how important it is from a data security standpoint that IT be notified the minute someone is let go (even if the person has resigned, as long as there is an end date, we can add it to the account so it's automatically disabled). Then we have the users who leave the company, but they are still retained for a while and so still need their access...those are a real joy. What really kills me is that HR has been comprised of the same people for YEARS, it's not like these are new people to the company or IT policy.

The 'G-Man.'
The 'G-Man.'

was illegal and no doubt against company policy in the first place. You could be charged in some way for that you know, when they find out (which they will as you now can't remove it!) I would live in fear now...

douglasalt1
douglasalt1

A company I worked for had suspended for investigation a middle level manager. The manager was then dismissed for gross misconduct (fraud). The IT support team only found out about this three months later when the regional director came to head office, during a chance meeting with them in the smoking area. The reason given was that it was confidential. During this period the sacked manager had dial-up access to the general ledger, creditors and purchasing ledgers. (Surely the same as giving some a blank and authorised cheque-book). The director and the Human Resource team were reminded that the REASON for someone leaving is confidential, the fact that someone has left is NOT.

jrosewicz
jrosewicz

I was once a student tech at a college I attended. As far as I know my account there is still active (I last checked a few months ago). I had fairly high level access to software and other network functions. I'm sure all the shared admin passwords are still on the same scheme as well. I immediately disable all accounts in AD when I'm informed that an employee is no longer with us. The problem is that no one informs me that someone has left for a considerable amount of time. AD makes it easy, but if your users have dozens of web access accounts, it can become very tedious to remove all of those accounts.

TekyWanabe
TekyWanabe

'used to work for a company (not Legal or Finance) where it was more the norm to have an employee 'resign' than be fired. And the unwritten 'standard' (and 'unofficial'!) procedure was for an about-to-resign employee to copy all of the files he/she wanted to a personal hard drive well ahead of serving the company the required notice. Till date, I don't know if anyone ever 'hurt' the company with this though... And so much for disabling USB ports sometimes...how about burning info to a CD/DVD (more the norm to have a Writer on a machine these days) or uploading files to a repository on the web?!

The 'G-Man.'
The 'G-Man.'

that the direct vpn access from home took 3 months to be disabled, if I had wanted to who knows what I could have done! I also knew passwords for servers, routers & firewalls over half the country. I was stunned at the lax attitude to security while working there so it should have not come as a surprise I guess!

brudab
brudab

I was the IT Manager at a small company. Just before I submitted my resignation I disabled my own domain account, and later sent an email to my boss listing all the customer's networks to which I had access (along with my credentials) and requested that all be disabled immediately. That was 6 months ago. All my credentials are still valid as confirmed by a former coworker.

ChewyBass
ChewyBass

We always remove staff's access from our network the minute we find out. Problem is getting HR to let us know. I run the last login script in AD to see who hasn't been on the network for 30 days. I then email HR with my list and ask if they are still employed. No, we forgot to tell you. I'm just waiting for the time when an employee burns them and they try and blame IT. I never delete my emails from HR that say "no" we didn't tell you they left.

robo_dev
robo_dev

Twice a week, the automated provisioning system would query the HR database to identify adds, deletions, changes. Terminated employees would get deactivated automatically by the provisioning system (if they were not already processed by normal request). Role changes documented by HR are reconciled to role changes processed by the automatic provisioning system, and then back to the change management system. As a cross-check, a script queries all domain controllers to look for login dates that are old, and passwords expire on all systems after 30 days and accounts not used are removed after 60 days, no exceptions for anybody (automated provisioning tool makes this possible). No non-entity hardware or software allowed, no exceptions.

RFink
RFink

Disable the IDs and wait for the screams. :D Since HR was useless in notifying us, I took the law in my own hands. My boss agreed to the following policies: 1. 90 Day no login -- Disable ID 2. 90 Day sent HR an e-mail. If gone -- Delete 3. 120 Day -- Send HR a second e-mail if it didn't answer the first. 4. 150 Day -- Delete. In four years with the company I only deleted one vaild ID. And then HR ignored two e-mails.

RFink
RFink

1. Company policy also dictated that my e-mail box should have been disabled the day after I left. 2. Any e-mails that I received after I left was caused by their uncompliance to #1. 3. Since I never did anything with the e-mails I received I don't think they even knew I was getting it. My PHB was very clueless in that regard. 4. Penalty for violating company policy -- possible termination. I highly doubt that they would admit to being grossly negigent to the point of six months. They would be in more trouble than I would, especially since the PHB violated policy by forwarding the new password via e-mail. :)

The 'G-Man.'
The 'G-Man.'

"disabled my own domain account, and later sent an email" So how did you sent the e-mail without any access?

helpdeskdude
helpdeskdude

We have just the oppsite problem. I walked down the hall the other day and there was this guy sitting at a cubical that WAS empty, just typing away. I asked who he was and what he was doing? His reply... "I'm the new guy, just hired for the designers department." WHAT??!!! HUH??!! I headed straight to the HR department and asked what was this person doing at a computer without proper supervision? They said "Oh we hired him last week!" Thanks for letting me know. This is what I run in to all the time! jeeeeeez it's a wonder we still have any private info at all.

brudab
brudab

Sorry for the late reply. I only just checked back this thread. After I disabled my domain account, I used one of my personal email addresses to send the email asking to disable my other accounts to customers' systems. As IT Manager, I had the right to disable my own domain account. However, regarding access to other external systems (remote access to our customers), I wasn't "allowed" disable any account (even my own) as I had crafted our Acceptable Use policy to disallow this action.