Skip to content
Naked Security Naked Security

Access all areas – but for how long after you’ve left the company?

How quickly do you push the big red Delete button on someone's access after they leave?

Friday afternoon, you shake your colleague’s hand one last time as they walk out the door, and with their exit, they transition from colleague to ex-colleague. The ex-employee has severed their relationship with the company – or have they?

A recent survey conducted by One Login shows us the gap between intent and action remains wide for many when it comes to removing former employees from the company’s network. For the survey, they interviewed 500 US-based IT department employees (who were non-managers) with “responsibility for the creation and deletion of employee logins in-house, and either manages logins, or is responsible for their creation”.

What they found surprises few of us. A full 48% of the respondents “are aware” of ex-employees who retain access to the corporate infrastructure or portions of it after they have left. Some for a day, others for a week, and, according to One Login, the longest period between departure and removal of access identified to them by a respondent was “months”.

Why should you care?

While the vast majority of ex-employees move on and never look back, there is an active minority who do reach back into their former place of work and wreak havoc.

This was the case of Navarro Security who had one of its former employees, using off-the-shelf tools, destroy their company files, redirect the company website to a competitor, and sow doubt among customers and colleagues.

Then there was the tale of the Dutch developer who maintained administrative access to his clients e-commerce websites, long after this contract work was concluded. Yes, his clients failed to remove him from access, which he used the access to install back doors and harvest data. He successfully compromised 20,000 email accounts of both individuals and companies.

Or the case of Verelox, who had an ex-IT admin reached in and caused the Dutch hosting company many moments of high anxiety. It appeared he had destroyed data and cleaned servers (apparently backups saved the company that day).

And the icing on the cake? The survey showed a full 20% of the respondents have experienced data breaches by ex-employees.

How does this happen?

Manual deprovisioning isn’t easy. Sometimes it can take up to an hour to conclude (70%), and the longer an employee has been with an organization, the harder it becomes to remove all the corporate access (66%). This investment of time and energy required for deprovisioning provides us with ample incentive to bring automation to the task.

We read with regularity how far too many companies have seen employees harvest intellectual property before they leave to take with them for their next gig. Why make it easy for them to reach back in and get what they forgot? Timely deprovisioning is key.

In a perfect world, centralized credential authority for employee access would be in place, with the ability to instantaneously terminate an individual’s access with the push of the big red button. Companies small and large benefit from having an SIEM (security information and event management) solution in place to show when that ex-employee attempts to return. No company is immune, as size has no role in the world access control.


It is not always a bad thing if an ex-employee retains access. In some cases it is intentional.

For example, when I left a previous employer 2 years ago, they asked me if I would be willing to give occasional remote help on the systems I had worked on. I agreed to this and negotiated an hourly rate that I would charge if they asked for help. Their sysadmin left my access enabled after I left, presumably to prevent difficulties if I needed access.

In the event, they never asked me for help, and cut my access about 6 months later, but before they did I retained access, and could have logged in and caused all sorts of damage if I had wanted to.


That’s a *bit* different – you effectively went from being a full time staffer to a contractor, so there was a specific and documented need for you to have access.

So by the letter of employment you were an ex-employee, but by its spirit you were still effectively an insider…


What if employees of the company use surveillance software to continue spying on said former employee, to prevent him from rightfully laying claim to recompense for abuse in the workplace ?


“Some for a day, others for a week, and, according to One Login, the longest period between departure and removal of access identified to them by a respondent was ‘months’.”

When I retired from a large and security-conscious company, my accounts remained active for seven days by corporate policy. On the sixth day my manager called me and asked me to come in and prepare for him an archive of important data the corporate attorneys wanted retained. Fortunately I was able to do so. (That’s when I noticed the email saying the account would be deleted seven days from my last one.)

What’s ironic about this is that I had been asking the attorneys for six months prior how to go about archiving the data for them.


Back in the day, I worked for a large (and distinctively coloured) 3-letter-acronym company, from which I resigned just before Christmas one year, to be hired back as a contractor the following month. I did note that my access to the IT systems still worked when I got back … for about two weeks, when my IT logon and my building access card stopped working in the middle of January.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!