Nearly half of all IT decision makers in large UK businesses admit to retaining access to their employer's network, often for months after leaving the company.
The survey, commissioned by access rights management firm Protected Networks, found that three quarters of the 49% percent who retained access had used their permissions to access their former employer’s network – some admitting to getting back in the network on multiple ocassions and for up to a year.
65% of those with access to their former employer’s network retained access at a ‘user’ level whilst 22% still held ‘administrator’ level access rights, giving them the ability to control or escalate access to network resources for both themselves and others.
76% of businesses said they thought that network access rights should be given a higher priority and focus on attention. But out of those businesses that noticed IT workers were still gaining access to their networks, 57% failed to remove access rights, further proving just how relaxed attitudes are to closing off network access to former IT employees.
'The findings reveal an astonishingly liberal attitude of UK businesses to managing access to data on the corporate network, particularly if we bear in mind that this may potentially include granting access to valuable data like intellectual property, credit card data or sensitive private data about employees or clients,' said Keith Maskell, country manager at Protected Networks.
'Perhaps in some cases companies do not consider that their ex-employees are a threat, or administration staff are too overloaded to make systems changes on time, but in fact this common failure to remove data access rights creates a serious security vulnerability that can be exploited later by hackers, if not by the ex-employees themselves.'
According to Maskell, the findings are just more proof of the evidence we see on a daily basis of back doors being left open to ex-employees, or to employees who have moved on to new projects.
The main reasons for this are the very significant time, cost and resources required to manage complex access permissions structures – but it's still a massive oversight that security professionals need to address/
'Legislation like PCI DSS has for some time now highlighted the need for close controls, but the substantial fines being levied by the EU Data Protection Regulations for the loss of personally identifiable data is likely to make this an even bigger priority for companies in the future,' says Maskell.