For any organization, managing who has access to data and assets can be trickier than one
might expect. Access controls, simply put, determine who has access to what. Pretty
simple, right? But organizations of any size can struggle to, or forget to, manage
access creep—also known as privilege creep. It occurs when individuals have unrequired
This can happen if an employee changes positions within an organization and new access
rights are piled on to old access rights. But there are many instances in which an
employee, contractor, or individual could have access beyond what is appropriate. Such a
scenario is when an employee leaves an organization and retains some or all of their
access controls for longer than is necessary.
An employee departure, especially under bad circumstances, can be challenging to
navigate. Amid the Great Resignation, concerns over data exfiltration and intellectual
While each situation is unique, following appropriate procedures can help make the
departure process go as smoothly as possible. However, making sure that cyber-security
requirements are fulfilled can often get lost in the shuffle. Adhering to best practices
and managing access controls can minimize the risks posed by the insider threat.
Protect Against Insider Threat
Just as organizations need to defend themselves against cyber attacks originating
from the outside, steps need to be taken to counteract the risk of the "insider
threat." The insider threat can materialize in many ways—as a disgruntled former
employee absconding with confidential company information, an accidental click of a
phishing link, or a third-party vendor accessing certain data without authorization.
Whether malicious or unintentional, it can be difficult to fully account for the
insider threat. When an issue presents itself, organizations are often caught off
guard. Sometimes, these problems are only discovered long after the fact, which
occurs frequently in cases involving former employees.
Former employees may retain access to email accounts, the cloud, tools, assets, and
even property for long after their termination dates. Access creep is typically an
oversight on the part of the organization, and it can pose a serious problem when an
overlap is identified. A simple cyber-security and technology checklist is helpful
to have on hand to help mitigate the risks. Key steps may include the following.
Make sure that the employee no longer has access to their email account. Forward
all incoming emails to another address, and preserve or backup any accounts or
devices. Delete employee accounts.
Review (and audit) access controls to ensure that the former employee can no
longer remotely access any other accounts or assets, including cloud accounts or
social media sites.
Collect all company-owned property and devices (including key cards), and update
all relevant property logs.
Change all passwords, and disable multifactor authentication.
Have the employee confirm and provide signed documentation to upper management
and the IT department that all relevant steps have been followed and all property has been returned.
Additional investigative measures may be required; depending on the circumstances,
other departments or third parties may need to be involved to determine if
unauthorized access or data exfiltration has occurred. Having a strong incident
response is critical in the event of a breach, either malicious or unintentional.
Exceptions should not be made to the checklist your organization follows, as
consistency and timeliness in its application can help to prevent damages stemming
from the insider threat.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI.
Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion.
If such advice is needed, consult with your attorney, accountant, or other qualified adviser.