When business leaders think about information technology security, they often focus on protecting themselves from hackers and viruses. But sometimes, the greatest threat to IT security is internal.
Lax security policies may allow workers unrestricted access to sensitive information. And without proper security controls, employees may retain access to systems and accounts, even after they leave a job.
What You Don’t Know Can Hurt You
In July 2015, an audit of the Los Angeles County Probation Department found 695 employees still had active computer log-ins, seven years after they were terminated.
One would think a governmental department would have a security policy that ensures log-ins are deactivated upon termination, but even in federal government, security controls are sometimes lacking. For example, Edward Snowden, a system administrator working on-contract for the National Security Agency, was able to download thousands of classified documents, undetected, and without the proper credentials.
Employers should keep a record of log-in credentials for all employees and set up programs to force periodic password changes. When an employee leaves the job, all log-in credentials should be immediately deactivated. If a manager is terminating an employee, password deactivation should occur simultaneously.
Employee-monitoring software allows managers to measure keystrokes, downloads, Internet activity and more, which can reduce the risk of data theft or misappropriation.
When it comes time to terminate a system administrator or another IT employee with special knowledge of classified information, businesses have to plan carefully for this transition.
Some small companies have just one employee that handles their IT needs, and when that’s the case, businesses will need someone who can take over those responsibilities. If a company hasn’t found a replacement for the current IT person, an external consultant should be able to perform some, if not all, IT tasks in the meantime. That same external contact could be the one who deactivates log-in credentials for the employee being terminated.
Even when technology employees react calmly to being terminated, they should not be allowed to return to their work area, because it only takes a moment to wreak havoc on systems. Instead, managers should offer to return an employee’s personal belongings by mail.
Managers hope they’ll never have to fire anyone, or discover a trusted employee is trying to access classified information, but they should always be prepared for those possibilities. Strong security policies and redundancies can help businesses avoid risk from current and former employees.
If you’re concerned about the security of your technology systems, we can help. Lifeline Data Centers employs a Certified Risk Manager and Certified Information Security Manager. We’re more than a data warehouse. We’re a full-service colocation provider, with years of experience in compliance and security. Contact us today.