Are ex-Employees Exposing Your Sensitive Data?

Imagine a former employee has quit for some reason and as part of the exit process, all access to corporate data has been removed. However, a recent research report says that one cannot be overly confident that this former colleague doesn’t have access to such information or that they aren’t directly or indirectly involved with some cyber incidents. 

A blog post by Kaspersky says that its team recently analyzed how well small and medium-sized businesses (SMBs) are prepared for cyber incidents in an unpredictable world. The study found that nearly half of the SMBs surveyed were not 100 percent sure that dismissed employees could not still access their business data through cloud services or corporate accounts.

There’s harm that can come your way

If an ex-employee still has access to work services or information systems, they could do plenty of harm to their former employer – should that float their boat. SMBs usually worry about fairly phantom threats, such as a former employee using corporate data to launch their own rival business or taking a job with a competitor and stealing the company’s customers. But in terms of business damage, these are way down the list.

If an ex-employee has access to a customer database that contains personal data, what they could do is leak it into the public domain (for example, as revenge for dismissal) or sell it on the dark web. For a start, that would damage the reputation of your business. 

Second, it could jeopardize your customers, who might take legal action – if not for damages, then at least for having their personal data leaked. Third, you could receive a hefty fine from the regulators. This latter one depends of course on the laws of the country where you operate, but there’s a growing trend worldwide toward tightening the penalties for leaks of this kind.

Potential risk, minus malicious intent

Some issues are not the result of scheming ex-employees, or even direct leaks. An ex-colleague may not even remember they had access to such-and-such resource. But a routine check by those same regulators might reveal that unauthorized persons do in fact have access to confidential information, which would still result in a fine.

And even if you’re absolutely certain you parted ways on good terms with everyone, that doesn’t mean you’re out of the woods. Who can guarantee they didn’t use a weak or non-unique password to access work systems, which attackers could brute-force or come across in an unrelated leak? Any redundant access to a system – be it a collaborative environment, work email or virtual machine – increases the attack surface. Even a simple chat among colleagues about non-work issues could be used for social-engineering attacks.

Here’s what you can do

• Minimize the number of people with access to important corporate data.
• Set strict access policies for corporate resources – including e-mail, shared folders and online documents.
• Keep a strict access log: record what access was granted and to whom. Revoke it immediately if the employee leaves the company.
• Create clear instructions for creating and changing passwords.
• Introduce regular cybersecurity awareness training for employees.