Acceptable security controls a rarity

Amid tightening budgets and streamlining operations, most companies are still relying on antiquated security procedures that don’t take the actuality of widespread corporate layoffs, or the realities of a more virtual workforce into account. According to a new survey of U.S. security industry professionals, 14 percent of former company employees still have access to proprietary data and organizational information, revealing critical deficiencies of corporate security policies.

Conducted of more than 12,500 U.S.-based security industry professionals by Cloakware, the study found three-quarters of those surveyed work at companies of 1,000 people or more. A simple calculation based on respondents’ replies reveals that a minimum of 1,312,500 employees still have access to company systems after they have left the organization.

As part of cost-saving measures, many of these companies are now allowing more employees to work remotely, yet failing to update their security controls. In fact, 90 percent of companies that responded employ virtual workers who do business beyond the four walls of the traditional office. Almost half of the respondents (41 percent) said they have increased their use of virtual workers over the past 12 months, providing more complex security issues that need to be addressed.

Still many companies continue to use basic passwords and new-employee set-up policies that make it easy to introduce vulnerabilities. Additionally, remote access is often managed by multiple internal groups within a company, resulting in 21 percent of responding companies admitting that they hadn’t even changed employees’ passwords after they were terminated.

All the responding security professionals said they allow some level of remote access privileges for employees, yet the survey found that the vast majority of companies aren’t doing anything beyond rudimentary security to protect company assets.

The survey found:

• A disconnect between departments as to which group “owns” access for employees: For companies, the administrator charged with cutting off access to critical company information is ever-changing. According to responding companies, two-thirds of the time, IT departments are tasked with this responsibility, but many companies delegate it to human resources and direct managers, often revealing a disconnect that leaves companies vulnerable to malicious former employee attacks.
• Varied internal password management policies: While all respondents reported that their companies have mandated password change policies, vigilance toward frequent updates is often lax. More than three-quarters of respondents reported that changing passwords is mandated, either monthly (31 percent of those who make it a practice) or quarterly (69 percent). Yet only one-fifth of companies provide an automated password update function that forces employees to actually change it.
• Simplistic security practices around setting up new-employee access: More than 80 percent of those surveyed reported that companies have a standard format for new employee access, i.e., all e-mail address and password setup is the same. This makes it extremely easy to take advantage of a new co-worker’s access to critical company resources.