It's one thing to ask whether companies truly trust their employees with company information, but I think most would agree that trusting their ex-employees is definitely not desirable.
I was thinking about this while closing down the logins of a recent leaver on our various SaaS accounts. The internal systems were relatively straightforward - it's all controlled via a directory service so one inactivation command disabled all logins to our tools.
But, like many companies out there we've signed up to various 'must have' SaaS applications running on the public cloud. I'm talking about sales tracking tools, sites for desktop screen-sharing, and of course social media sites. The social networking sites are arguably the worst because they accept credentials from consumer-facing sites (e.g. Twitter, Google, Facebook, Hotmail) and therefore blur the distinction between your personal sites and company/enterprise usage. If you sign up to a work-related account using your personal email address, it can bring problems for you as an employee. With things like Microsoft accounts, where you can associate multiple email addresses with a single account, an employee who has joined a work email address with a personal address runs the risk of their former employer locking them out of their personal account by using their former email address to gain access.
Add to this the security problems caused when an ex-employee's devices are hacked or stolen - along with the linked work accounts. An employee might alert the company to the problem, but would an ex-employee do the same?
Going back to my task-in-hand, there was no fear in this case of a 'bad leaver'. It was just a chore trying to remember all the places we'd shared or granted access to accounts. We were so quick to sign up when we found a good application, but we kept no records because ever shutting down these accounts seemed a remote possibility.
It would seem from some survey stats out recently that many companies don't even bother to try closing accounts. One survey found that 89% of ex-employees could still access very confidential information using their 'old' logins. This data is on sites such as Salesforce, Facebook, Google Apps, etc. It also found that 45% of these ex-employees did login at least once. That's close to another stat I've seen where 51% of companies found that ex-employees tried to access company data.
IT departments would argue that part of the problem here is that nobody (apart from the users of course) knows these applications are in use. Staff create workspaces on the file sharing sites because it serves a pragmatic need during one busy period or another. The same solution is then re-used to store files that might be needed when access to the company network isn't possible or convenient. That's why a huge 68% admit to storing work information in their personal file-sharing cloud.
Another real possibility is that passwords for these applications are shared. There are various reasons for this, but chief among them is avoiding cost and maximizing simplicity. So, say five people have access and one leaves the company. The other four still need to carry on using the tool. Do they remember to change the password? Probably not.
It's in the interests of SaaS vendors to make the sign-up process as easy as possible. But while I was struggling with the chore of closing down those accounts, my allegiance was definitely with those who warn us about the lack of security that this can bring.
Like many things, a little planning and record-keeping will help in the long run. Here are some suggestions to bear in mind:
- Keep a list of services you're using - help IT by sharing the list with them
- When signing up for a site, spend some time finding out how to manage accounts for the day you need to disable/remove an account. Keep a record of the process somewhere central
- As part of your social media policy explain to employees that mixing personal email addresses with work accounts is not a good idea
- As part of the employee exit process include a task that encourages them to remove their former work email from any personal accounts