{"id":45684,"date":"2022-09-27T13:03:53","date_gmt":"2022-09-27T17:03:53","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=45684"},"modified":"2022-09-27T13:03:53","modified_gmt":"2022-09-27T17:03:53","slug":"ex-employees-access","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/ex-employees-access\/45684\/","title":{"rendered":"Might your ex-employees still have access to corporate data?"},"content":{"rendered":"

How confident are you that your former employees no longer have access to corporate information? As practice shows, this isn\u2019t an irrelevant question. Recently, our colleagues analyzed<\/a> how well small and medium-sized businesses (SMBs) are prepared for cyberincidents in an unpredictable world. The study found that nearly half of the SMBs surveyed were not 100 percent sure that dismissed employees could not still access their business data through cloud services or corporate accounts.<\/p>\n

What harm can an ex-employee with access to corporate data do?<\/h2>\n

If an ex-employee still has access to work services or information systems, they could do plenty of harm to their former employer \u2013 should that float their boat. SMBs usually worry about fairly phantom threats, such as a former employee using corporate data to launch their own rival business or taking a job with a competitor and stealing the company\u2019s customers. But in terms of business damage, these are way down the list.<\/p>\n

If an ex-employee has access to a customer database that contains personal data, what they could do is leak it into the public domain (for example, as revenge for dismissal) or sell it on the dark web. For a start, that would damage the reputation of your business. Second, it could jeopardize your customers, who might take legal action \u2013 if not for damages, then at least for having their personal data leaked. Third, you could receive a hefty fine from the regulators. This latter one depends of course on the laws of the country where you operate, but there\u2019s a growing trend worldwide toward tightening the penalties for leaks of this kind.<\/p>\n

Potential problems without malicious intent<\/h2>\n

Some issues are not the result of scheming ex-employees, or even direct leaks. An ex-colleague may not even remember they had access to such-and-such resource. But a routine check by those same regulators might reveal that unauthorized persons do in fact have access to confidential information, which would still result in a fine.<\/p>\n

And even if you\u2019re absolutely certain you parted ways on good terms with everyone, that doesn\u2019t mean you\u2019re out of the woods. Who can guarantee they didn\u2019t use a weak or non-unique password to access work systems, which attackers could brute-force or come across in an unrelated leak? Any redundant access to a system \u2013 be it a collaborative environment, work e-mail or virtual machine \u2013 increases the attack surface. Even a simple chat among colleagues about non-work issues could be used for social-engineering attacks.<\/p>\n

How to minimize the risks<\/h2>\n

Most of the measures to combat data leaks through ex-employees\u2019 accounts are organizational. Thus, we recommend:<\/p>\n