business security

Why SMBs should include access revocation in their employee separation process

Christopher Budd 21 Sep 2021

Good and successful procedures for revoking access for terminated employees don’t need to be complicated

Letting people go is never a pleasant or easy task for anyone. A recent court case underscores the importance of businesses ensuring that they have an effective and fast process for ensuring that network access for employees being let go is in place. The purpose of this process is to protect against any damage from newly-former employees who are disgruntled at being dismissed. 

In a recent case, a former credit union employee in Brooklyn pleaded guilty to destroying 21.3 GB of data from her former employer’s systems. She’s facing up to 10 years in prison for the act.

The court documents indicate that she deleted 20,000 files and nearly 3,500 directories, which included files related to mortgage loan applications and the company’s anti-ransomware software.

The impact of this on the credit union included spending $10,000 to fix the damage. It also had an impact on the credit union's customers, who were left scrambling because of the impact of the lost documents on their mortgage approval process.

How do cases like this happen in the first place?

The former employee was able to do this because the credit union’s IT support company didn’t revoke her access quickly enough when asked, giving her the 40-minute window she used to use her still-valid credentials to connect remotely to the system and delete the files.

This incident has a clear lesson for SMBs in the importance of having proper procedures in place to revoke access for terminated employees promptly and to verify that those procedures have been followed. In this case, for instance, if these had been in place and followed, this entire episode likely wouldn’t have happened.

Good and successful procedures for revoking access for terminated employees don’t need to be complicated. In fact, it’s best if they are simple, since complications always increase the risk of mistakes and failure.

The key thing in revoking access as part of termination is timing. By the time someone knows that they’re being terminated, you want their access to already be revoked. Ideally, you don’t want to do it so soon that it will tip off the employee in question. However, from a data protection point of view, revoking access too soon is better than too late.

This also applies when you get notice from someone that they’re leaving: you want to revoke their access immediately. In that case, depending on the nature of the relationship, you may want to have your IT teams check to ensure that there was no unauthorized action taken by that person prior to their giving notice.

No one wants to think that someone might be capable of this kind of sabotage. But the reality is that while rare, it does happen. And when it does happen, it can have costly and sometimes devastating consequences. However, if you create a standard process and follow it in all cases, it not only increases the chances of success (meaning minimizing harm) but also depersonalizes it in every case. Following an aggressive but effective access revocation process means you’re not accusing anyone of anything, you’re simply following the rules.

If your company doesn't currently have a process like this in place, now is the best time to take steps to put one in place. Like with so many practices, it’s better to be prepared ahead of time rather than to try and build something quickly when you suddenly realize that you need it. Early preparation also decreases the risk of errors.

Hopefully, your business will never have to deal with an employee that’s disgruntled to the point of wanting to take revenge. But having the right process in place and following it rigorously also helps decrease the chances that any actual harm will come out of the situation. As we can see in this case, that harm can be substantial for both your organization and customers.