New Courion Survey: Many Large Enterprises Underestimate Risk From Terminated Employees

By Prne, Gaea News Network
Sunday, June 14, 2009

MANCHESTER, England - 93% of Large Enterprise IT Administrators Say There is No Risk from Former Employees; Yet More than Half Have Limited Knowledge of Employee Access Rights to Systems

Courion(R) Corporation, leaders in access governance, provisioning and compliance, today releases survey results revealing that while a vast majority (93%) of organisations are confident that terminated employees pose no security risk to their systems by virtue of legacy access, many have limited or no knowledge of the systems to which their active and terminated employees have access. This unwarranted confidence in system security leaves companies vulnerable to attacks that could cost millions.

Conducted through May 2009, a global survey of 236 business managers from large enterprises — more than half from companies with at least 10,000 employees — reveals that 53% of IT managers are largely unaware of employee access rights to systems. This causes a proliferation of zombie accounts — accounts that remain active after employees have left the company. However, these same administrators say they have a high level of confidence that zombie accounts cannot trigger a malicious attack or perpetrate a data leak, despite high-profile evidence to the contrary.

Other key survey results include: - Nearly one in three companies (30%) still manually provision user accounts, increasing the likelihood of human error or delays when de-provisioning departing employees - and ultimately the risk of data theft via zombie accounts. - Almost half (48%) of organisations currently take more than one business day to alert IT departments of employee terminations. - Close to one quarter (23%) of companies surveyed also take another day or more to switch off employee access to their systems, creating a substantial window of opportunity for malicious former employees. - Almost 1 in 10 companies (9%) said they could never be completely certain that terminated employees no longer have access to IT systems. - More than one third (34%) of business managers reported that it can take up to a week or longer to be completely certain that terminated employees do not have access to systems.

These figures suggest that IT administrators may be overconfident in their ability to prevent data breach threats from zombie accounts, which can cost organisations millions of pounds in damages and tarnish brand reputation. Courion recommends careful inspection of Access Assurance policies to ensure that the right users have the right access to the right resources and are doing the right things.

“The fact that 53% of IT managers are largely unaware of employee access rights to systems is of great concern and is a problem that has been exacerbated by the high frequency of mergers and acquisitions in the current climate,” warns Courion’s General Manager, Stuart Hodkinson. “The time for over confidence has passed. It is important for IT Managers to close these exploitable holes by undertaking regular audits of their systems, ensuring that employees have access to only the information they need to do their jobs.”

For a full breakdown of the survey or to arrange an interview with experts who can discuss the results and the importance of user provisioning and Access Assurance policies, contact:

Martin Brindley Davies Murphy Group courion@daviesmurphy.com +44-01256-807360

About Courion

Courion’s award-winning Access Assurance solutions are used by more than four hundred organisations and over 7.5 million users worldwide to quickly and easily solve their most complex identity and access management (password management, provisioning, and role management), risk and compliance challenges. Courion’s business-driven approach results in unparalleled customer success by ensuring users’ access rights and activities are compliant with policy while supporting both security and business objectives. For more information, please visit our website at courion.com, our blog at blog.courion.com/, or on Twitter at twitter.com/Courion.

Courion is a registered trademark. All other company and product names may be trademarks of their respective owners

Source: Courion Corporation

Martin Brindley of Davies Murphy Group, courion at daviesmurphy.com, +44-01256-807360

YOUR VIEW POINT
NAME : (REQUIRED)
MAIL : (REQUIRED)
will not be displayed
WEBSITE : (OPTIONAL)
YOUR
COMMENT :