One thing more prevalent in the news than security risks is organizational layoffs and reorganizations. Look at Microsoft and its 18,000 person layoff or Barclays which is looking to slash 7,000 jobs by 2016. It would be extremely ambitious to assume that IT can successfully off-board that many users properly and not have any grains slip through the cracks. All you need is one.
How much do you trust the person sitting in the cubicle across from you? I’ve asked myself that question in every job that I’ve had working in the financial industry. While it may seem strange, these are the same type of people responsible for managing, transferring and balancing money in accounts just like yours. There is very little difference between the person at your financial institution of choice and your coworker. It’s getting scarier as you think about it, isn’t it?
Your Peers are the Real Super Hackers
You hear in the news how Hacker ABC somehow gained access to a large corporation and steals personal information. But these super hackers have nothing on John Doe in cubicle C who has the knowhow and wherewithal to secretly transfer money from my account, take company confidential information with him when he leaves the organization, or worse, manipulate the whole corporation from the inside out. All it takes is an overworked manager who forgot to tell IT to revoke access to services and an opportunistic (albeit fraudulent) ex-employee in John Doe.
You Know This Story
Let’s say that John Doe worked in the distributions department of your favorite financial services organization. He handles cash transfers and wiring funds, while having signature authority on customer accounts. Now the organization is reorganized, John’s role is considered redundant and he is transferred to another department or even let go.
It’s not the IT department’s responsibility to know who works for their company or not. They have other “small responsibilities” of keeping the technology infrastructure of the organization up and running. It’s up to John’s boss and HR to inform IT as to what has changed. Unfortunately, the boss is too busy filling the gap that John and HR is still managing the reorganization as a whole. Not to mention that John’s been there for so long that no one remembers what systems and services he even had access to. So what you end up with is an ex-employee who still maintains access to accounts, has signature authority and no management controls; as well as an unsuspecting IT department that didn’t know to remove his access.
There is no need to go into what could happen next. We all have a vivid imagination. Even if someone doesn’t leave the organization, but simply changes roles, it is crucial to ensure that the inappropriate accesses and services are revoked within a reasonable amount of time. The moral of the story is that situations like this happen too frequently and the risks can be ghastly to both the organization and its trusting customers.
Off-boarding – Are You Playing Go Fish or Old Maid?
By onboarding, I mean much more than just days 1-5 from a person’s hire date. I mean every time a person’s role changes and their IT services need an overhaul, that’s on-boarding. If it were a card game, the ideal situation would be Old Maid – you are matching the right IT services with the right roles. However, in today’s world, it’s more like Go Fish. “John do you have a CRM login?” “Nope, go fish”. Let’s stop the guessing game and know who has access to what. Once you are sure of what access a person has, you can create a process to remove them once they are no longer necessary.
You can even have the HR system and the IT systems talk so that once that employee’s status has changed, they are automatically unsubscribed from their old IT services and, if applicable, subscribed to the IT services they need now to do their new job. The key word in all this is automatically. This means that as soon as HR changed John Doe’s employment status in the system, his access is revoked and everyone can go on with the rest of his or her lives risk free. HR made no phone calls to IT, IT didn’t have to do anything, but now they have some unused licenses that they can reallocate, and John’s now overstretched boss can focus on getting back to business as usual.
Not A Dream Deferred
So now that I’ve sufficiently made you question your coworker’s integrity, there is technology to reduce the risk of a rogue coworker getting access to yours, mine or anyone else’s confidential information. It’s called RES Suite 2014. I will spare you the details, but suggest that you check out my friends at www.ressoftware.com to see just how easy it is to implement. If not RES Software, I at least encourage you to look into security, compliance, on-boarding and off-boarding. You might just secure your own job.