Employees come and go throughout the time that you run your business, and sometimes these relationships may end with a bad taste in the mouth for the employee, employer, or both.
In today’s world, it is important to account for every possible tie the employee might have to the company. It is easy to think of the traditional things – such as a company laptop or office keys – but access to the company blog or Customer Relation Management (CRM) might not come to mind, which is where these employees can cause damage.
This is sometimes referred to as rogue access, and an employee doesn’t necessarily need to be terminated to cause trouble—an upset or unethical employee can be just as devastating to your business, as AT&T learned with its data breach in October.
CRM tools typically include customer data, such as email addresses, phone numbers and company decision makers. Therefore, unauthorized access to the company CRM is basically giving an upset employee the keys to the kingdom to cause chaos among customers, or worse, handing them a lead list for their new employer to try to steal your client base.
For an employee more inclined to cause chaos, they might send spam emails to these customers designed to tarnish the reputation of your organization. For an employee that is leaving the company, however, they might take things a step further and sell your client list to competitors or use it themselves if they are recruited by a competitor.
How can these scenarios be avoided?
This can be done by segmenting CRM access – there is no good reason for a salesperson to have access to all accounts, and employees in other divisions should only have access to the information they need. Hence, sharing usernames and passwords shouldn’t be an acceptable policy, as it spreads the number of people who could potentially cause trouble.
But issues go beyond employees actively causing trouble. You might have an employee who left on good terms but the sheer fact that they can still access company data can be a big issue, especially if you are in a field that is heavily regulated, such as health care or finance. If an auditor checked credentials for terminated employees or employees that should no longer have access to said data and the credentials still functioned, this would most likely violate the regulations for the field in question, resulting in fines or penalties.
Finally, be sure to properly manage and audit any shadow IT or the use of applications in the company that might not be authorized and managed by IT. This includes but isn’t limited to products like DropBox, Gmail and even USB drives. These three things can all easily take data out of company hands and put it in a place that an employee can store at home and use at any point in time, whether they are still employed by the company or not.
Depending on the data the employee works with, these applications should be blocked or restricted. Otherwise, education plans should be in place to ensure that employees are not using them in ways that can hurt the company. Better yet, the company should strive to provide similar services to eliminate the employee’s want or need to use these services, making shadow IT a moot point.
About the Author: Alex Cartaya is Product Specialist at Vault Networks. With over 10 years of experience in the IT industry he brings a unique wealth of knowledge about a broad spread of technologies, ranging from Network Security to Cloud Solutions and beyond. Alex is native-born to Miami, and currently resides in Homestead. Alex is a proud FIU Alumni, having recently received a Master’s of Science in Global Strategic Communications from Florida International University.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image courtesy of ShutterStock.