It is increasingly important that organisation start taking account lifecycle management more seriously.

Ask yourself these questions: Do any of your departed users have access to your systems still? One more time. Do you know, for sure, if any of your departed user have access to your systems still?

My experience has taught me that most organisations have a fairly generic staff offboarding procedure. The procedures are usually very loosely adhered to. They ensure that appropriate knowledge is transferred. They collect company assets, and illicit feedback with an exit interview. The staff member leaves among a flurry of “we will miss you” and other well wishes and they are on their way.

What is the problem? Well, the two main motives for data breaches are financial and espionage. With the current pandemic, most organisations and individuals are feeling the financial pinch at the moment.

For a business, any impact to operations or cashflow can be devastating – possibly causing the business to collapse. For individuals, anyone with the right motivation and a decent skillset can take advantage of weak security practices.

What does this mean for businesses? Many things. My topic of choice today is ensuring healthy and secure processes are in place to remove access to networks and systems. This is something that organisation just aren’t very good at. Research by Onelogin from 2017 shows that nearly half of ex-employees still had access to systems after departing!

Failing to handle the employee offboarding process can lead to serious information security risks. According to the 2020 Data Breach Investigations Report by Verizon, internal actors account for around 30% of all attacks. This figure is up from 20% just 5 years ago.

Also remember that it isn’t just the user that has departed you need to worry about. What if someone else knows the password? They now have an account they can use and they potentially have someone to blame any wrongdoing on!

Organisations need to put some serious effort into this space to ensure the safety and security of the organisation and its stakeholders.

The mitigations for this risk fall into 2 categories: Administrative Controls and Technical Controls. Administrative controls focus on the security policies and procedures surrounding user account lifecycle. While Technical controls consist of the tools (hardware and software) that are implemented to manage the user account lifecycle.

Administrative Controls

You need to make sure you have well defined user account management policies

• How long is an account inactive before it is disabled?
• How long after the user has left before the account is disabled?
• How long are disabled accounts kept before being deleted?
• What if the account cannot be deleted? How do you secure it?
• How are temporary of contract staff accounts managed?
• What about accounts for staff on leave?

All these, and many more, scenarios need to be considered when developing your account management policies.

Technical Controls

Wherever possible the account lifecycle management should be automated. This removes most of the human factor when it comes to making sure things are done in a timely manner. Of course, you need to have a good understanding of your user account types and how each of these are managed.

Understanding the account types should be made much simpler once you have defined your account management policies. This should allow you to configure (or create) the appropriate tools you need to get things automated.

There are plenty of off the shelf tools available, a simple duckduckgo search will give you hundreds of results. Finding the right one for your environment and budget is crucial. You need to make sure it is flexible enough to support your requirements. You also need to make sure it is well supported by the vendor. Speaking of the vendor, you also need to make sure that you are purchasing the tools from a reputable organisation. After all, you are putting a lot of trust into their service!

There are many different ways to approach this problem. I would suggest the adoption of a formalised Cybersecurity Framework. You need to find the framework that suits your organisation and your requirements.

There are many frameworks available, including:

• NIST
• ISO IEC 27001/ISO 27002
• COBIT
• SOC2

What is the takeaway for this? Make sure you disable user accounts that are inactive, disabled account of staff that have left the organisation or on extended leave!