Security Risk of Legacy Accounts

Courion completed a survey in May after the California Water Services Company security breach to assess how pervasive is this problem. They found:

“…a vast majority (93%) of organizations are confident that terminated employees pose no security risk to their systems by virtue of legacy access, many have limited or no knowledge of the systems to which their active and terminated employees have access.”

Conversely said, 7% of surveyed organizations believe terminated employees pose a risk. Directly translated this means 7% of our addressable market believes they have a problem right now, 93% needs to be convinced, and some percentage between the two is the actual marketplace. Indirectly translated (and a slight stretch), you could use this data to say that you have a 7% chance of a terminated employee posing a security risk. Reviewing the top down business case for Cal Water I outlined in a previous post I arrived at a 8% chance. Are we are actually converging on an approach to construct a business case for de-provisioning?

Since we all love facts and figures as Product Managers the rest of Courion’s posted results are also interesting.

• 236 business managers from large enterprises – more than half from companies with at least 10,000 employees – reveals that 53% of IT managers are largely unaware of employee access rights to systems. This causes a proliferation of zombie accounts – accounts that remain active after employees have left the company. However, these same administrators say they have a high level of confidence that zombie accounts cannot trigger a malicious attack or perpetrate a data leak, despite evidence to the contrary, such as the recent CWSC incident.
• Nearly one in three companies (30%) still manually provision user accounts, increasing the likelihood of human error or delays when de-provisioning departing employees – and ultimately the risk of data theft via zombie accounts.
• Almost half (48%) of organizations currently take more than one business day to alert IT departments of employee terminations.
• Close to one quarter (23%) of companies surveyed also take another day or more to switch off employee access to their systems, creating a substantial window of opportunity for malicious former employees.
• Almost 1 in 10 companies (9%) said they could never be completely certain that terminated employees no longer have access to IT systems.
• More than one third (34%) of business managers reported that it can take up to a week or longer to be completely certain that terminated employees do not have access to systems.

Thank you Courion for sharing your market research with those of us on more restrictive budgets.