The Ex-Employee Menace

Intermedia’s 2014 SMB Rogue Access Study explains why
your former coworkers just might be your biggest security threat.

UPDATE: The FBI has issued an alert on the ex-employee menace. Read more >

On February 10, 2015 the Bureau of Labor Statistics released its latest Job Openings and Labor Turnover summary. It found that 965,000 people in the Professional and Business Services industry left their jobs in December, 2014.

The critical question is: what kind of IT access did those 923,000 people take with them? Can they still copy leads from Salesforce? Can they log in to corporate Twitter accounts? Do they retain passwords for Quickbooks or Paypal? Are confidential files stored in their personal Dropbox accounts?

Intermedia and Osterman Research teamed to up to quantify the scope of the “Rogue Access” problem. What we learned should be a wake-up call for every business in the country.

Ex-employees are walking away with their passwords.

89% retained access

to Salesforce, PayPal, email, SharePoint, Facebook and
other sensitive corporate applications. — Tweet this

89% of the survey respondents retained access (that is, a valid login and password) to at least one application from a former employer. They named nearly every major app you can think of: Basecamp, Shopify,, Office 365, Google Apps, MailChimp, Wordpress, and many more.

45% retained access to “confidential”
or “highly confidential” data.
— Tweet this
49% logged into an account after leaving the company. — Tweet this

Users continue to have access to a wide range of accounts, IT services and platforms that they used when working for a previous employer. For example, 24% of users still have access to a PayPal account they used when working for a previous company, 21% have access to Facebook and 18% have access to LinkedIn.

— Osterman Research, “Do Ex-Employees Still Have Access to Your Corporate Data?”, August 2014

Maybe your exit interview is missing something?

60% of respondents were NOT asked for their cloud logins when they left their companies — Tweet this

It’s not surprising that cloud apps are falling through the cracks during the employee offboarding process. In many companies, the responsibility for provisioning apps falls to different departments: email is provisioned by IT, payroll apps are provisioned by HR, and line-of-business apps are provisioned by department managers.

With this approach, there is no clear responsibility for decommissioning and deprovisioning. The result: rampant rogue access.

Employers should do something that most of them are not doing: ask departing employees, as well as those who are staying with the organization, for the login credentials to all of the repositories that might contain corporate data. This might seem like an obvious thing for employers to do, but they are not doing it and should be.

— Osterman Research, “Do Ex-Employees Still Have Access to Your Corporate Data?”, August 2014

Ex-employees are also walking away with your files.

68% stored work files in personal cloud storage. — Tweet this

If you’ve heard of the Bring Your Own Device trend, then you may have heard of its sequel: Bring Your Own Service/App. As part of this trend, employees are creating project plans in Google Docs, or using SurveyMonkey instead of the corporate Qualtrics account, or spinning up AWS servers because there’s too much red tape inside the corporate datacenter.

This makes users more productive. And it also introduces huge security holes. Because if IT doesn’t know the where the company’s data is, how can it control what ex-employees can access?

Personal file sync and share services are probably the worst offenders. What’s the likelihood that IT will be able to access, secure or wipe corporate files stored in a personal Dropbox or Google Docs account?

File sync and share tools are widely used in organizations of all sizes, and most of these tools are deployed by individuals independently of any sort of ‘blessing’ from their IT department.

— Osterman Research, “Do Ex-Employees Still Have Access to Your Corporate Data?”, August 2014

What kind of risks does this “rogue access” create?

  • Stolen secrets. An ex-employee could bring account and billing data to your competitors. Or they could use your product plans to beat you to market.
  • Lost data. One day, an ex-employee casually purges her personal cloud storage accounts—and suddenly you’ve lost the only copy of all their work.
  • Regulatory compliance failures. How can you comply with regulatory obligations to protect sensitive data if ex-employees can still enter your systems and delete or modify data? Fines and legal costs can be substantial.
  • Data breaches. Forty-six US states require you to notify parties whose data has been breached. Does “rogue access” constitute a breach?
  • eDiscovery risks. Can you satisfy an eDiscovery order if you don’t have full and ready access to all of your discoverable data—such as data stored on ex-employees’ personal accounts?
  • Self-offboarding gone wrong. A well-intentioned employee could spend their last day deleting files or cancelling cloud accounts—and unwittingly destroy the value of all the work he or she did for you.
  • Out-and-out sabotage. Imagine what just one disgruntled ex-employee could do with access to your social media accounts, or the price settings on your ecommerce site, or the leads in your CRM…
  • Hacker field days. What if the bad guys nab an ex-employee’s device—with all the passwords to your systems stored in plain text?

Good news: we have three solutions. But before you read them, you should educate your coworkers. Awareness of Rogue Access translates directly into prevention.

Three methods for preventing rogue access

Implement rigorous access management and IT offboarding processes.

To successfully manage user access during employment—and revoke it when they leave—your business needs to build processes around the best practices for user lifecycle management. This includes managing employee access to IT services, maintaining awareness of access privileges, and instituting a rigorous IT offboarding checklist for departing employees.

Good news: we’ve done the research for you. At the bottom of this report, you’ll find guidelines for setting up internal processes as well as specific actions to take when onboarding and offboarding employees. In addition, you’ll find recommendations specific to regulated industries such as financial services, legal services and healthcare. You can download these documents at the end of this report.

Implement rigorous access management and IT offboarding processes.

Deploy a cloud storage service that’s more attractive than personal services.

Users want to access and share their files across multiple devices and collaborators. Personal services like Dropbox or Google Docs make that absolutely simple. If your corporate tools require even marginally more effort—even if it’s just logging in to the VPN—then people will naturally gravitate to the simpler solution.

That’s why you must provide a file sync and share service that’s as user-friendly as consumer tools but also gives IT full control over access privileges. (We, of course, recommend Intermedia’s SecuriSync.)

There are many obvious reasons you need IT control over shared files. But there are also some not-so-obvious ones. “If an employee stores sensitive or confidential data in personal Dropbox or Google Drive accounts, then this data is potentially accessible by outsiders the day the person becomes an ‘ex-employee’,” says Michael Osterman, president of Osterman Research. “In many cases, this runs afoul of data breach notification laws. This also complicates eDiscovery audits that require you to place legal holds on corporate data.”

And there’s one more risk: many well-intentioned employees spend their final day at a company clearing out their computers. What happens if, weeks later, you realize you’re missing some critical files? If they were stored on corporate cloud storage, then they’re simple to recover. If they were on a personal Dropbox, it’s much more challenging.

Find the balance to mitigate access leaks

Find the balance to mitigate access leaks

Utilize a single sign-on portal to manage and control access.

A single sign-on (SSO) portal gives employees access to all their apps with just one password. For users, it makes cloud IT as simple to use as the good-old “Start” menu: once you’re logged in, you click on any app—such as Salesforce, Quickbooks, webmail or thousands of others—and it launches immediately. There’s no need to type in any further passwords.

For users, SSO portals are popular because they eliminate the need to hunt for logins and passwords. This makes them more productive in the face of a sprawling cloud footprint. (In Intermedia’s previous report, Death by 1,000 Cloud Apps, we talked a lot more about the challenges posed when there are too many apps.)

For admins, SSO portals have a deeper benefit: they reduce the potential for Rogue Access. Here’s how single sign-on makes leaks less likely:

Users can be deprovisioned in a single click.
This makes it harder for a departing employee to retain access or cause mischief.

Users are less likely to remember their passwords.
A Single Sign-On portal requires users type passwords only when configuring an app or when the app requires a password reset. Compared to non-SSO users—who type in their passwords multiple times a day—an SSO user is less likely to depart the company with all of his or her logins and passwords memorized.

IT admins can see what apps an employee has been using.
Many security holes are introduced when employees use apps without IT’s knowledge. With an SSO portal, IT can review the logins saved by a departing employee to spot any unknown services and flag them for deprovisioning.

The safest password? No password at all.
Some SSO services let admins provision apps without users ever knowing their password. This is one of the most effective features an SSO portal can provide to prevent Rogue Access. (It’s currently available with Intermedia AppID Enterprise and Intermedia AppID for SAML-based apps.)

Download this toolkit to eliminate
Rogue Access in your business.

Get our checklist & best practices for managing IT access

Get our checklist & best practices for managing IT access

Learn more from this rogue access white paper by Osterman Research

Learn more about Rogue Access in this white paper by Osterman Research

Download this toolkit to eliminate Rogue Access in your business.






* Required

Find ideas for stopping Rogue Access.
Or share your solutions.

Follow @intermedia_net or join the conversation at #StopRogueAccess.

Rogue Access infographic