When an employee is terminated or leaves a company for other reasons, access to systems should be immediately revoked, but in the U.S., many companies are slow to block access, according to a study conducted by the Identity Defined Security Alliance (IDSA).
The study was conducted on 313 U.S. professionals in HR, sales, and help-desk positions who had responsibility for setting up or revoking system access. All respondents worked at companies that had at least 1,000 employees, where it was common for employees to require access to multiple systems.
50% of respondents said it takes 3 days or longer to terminate access rights when an employee leaves the company, even though such delays place systems and data at risk and causes compliance issues. If access is not immediately terminated, departing employees could remotely login to systems and steal data to take to their new employer or delete data or cause other damage. The risk of data loss is very real. 56% of sales managers said they were aware of staff stealing information when they left the company.
Onboarding employees and providing them with access to the systems and data they need is also slow. 72% of respondents said it takes a week or longer to give new employees the necessary access rights. This is often due to multiple departments being involved in granting access rights.
These delays result in a loss of productivity and pose a risk to security, but the issue can be addressed through automation, yet only 23% of respondents said they automate assigning rights to new employees and only 35% automate revoking access rights. 83% of respondents said managing access rights has become even more problematic during the nationwide COVID-19 public health emergency with so many employees now working remotely.
The survey revealed companies are also slow to address potential insider breaches. When asked whether workers would be blocked for unauthorized data or system access, only 38% said they would block access immediately. 62% said they would be hesitant to block an employee’s access in cases where data or systems had been accessed without authorization.
Good cyber hygiene was also found to be lacking. When asked about security best practices, 68% said it was more important to get the job done than to get the job done securely, and 69% said they took risks such as reusing usernames and passwords for personal and work accounts, using devices that had not been authorized by the IT department, and sharing login credentials with non-workers.
“With the number of identities in the enterprise exploding, the processes and technologies for managing them have become increasingly important and can have a significant impact on business operations and enterprise risk,” explained IDSA. “By implementing fundamental IAM best practices and identity-centered security outcomes, CISOs and IT leaders can continue to protect their organizations from compliance violations, stolen credentials or theft of confidential information, while also delivering value to their key stakeholders.”