Ex-Employees: Gone But Not Forgotten

Bianca (not her real name) begins her work day with a jog or yoga class at her gym, followed by a shower and a quick stop at the Starbucks on the corner. While waiting for her mocha cappuccino venti and blueberry muffin, she fires up her laptop and connects to the wi-fi.

There on the screen she sees it. Will it work today? ”It” is the shortcut link to a secure connection into the largest and most prestigious law firm in the city. Seem like a long time ago that she started there, fresh out of law school.

She clicks the icon, the application starts, she enters her password. And waits…Windows is thinking... connected!

She's in! She sees all of the firm’s systems and client files, as if she were sitting in the office. Easy. Convenient. Secure.

There's just one small problem. She left the firm 14 months ago.

Nearly every month I hear about gone-but-not-forgotten ex-employees. Retired, quit or fired, they have flown... but their access lives on.

If these people were terminated, why weren't ALL of their systems’ access?

Since 70% of data breaches occur due to password issues, the ex-employee is particularly risky. Consider the following examples of data breaches:

An employee was fired, holds a grudge. She recruits some hackers and gives them her password. The hackers copy and publish trade secrets and embarrassing emails or documents (Sony, December 2014).

Company laptop was included in severance package and is stolen. It contains unencrypted email and client/customer/patient information that is uploaded to black market sites. (Several health departments and universities, 2014)


Common sense dictates its critical to terminate ex-employee’s access is to critical systems and applications. However, it’s a problem because of numerous and varied system each person uses, high turnover positions, and lack of methodical user permission tracking.

Here are some basic steps to address the problem:

Keep a single, central log of all users, the systems and applications they can access, and when the access was granted.

Grant access only to what each employee needs. Don’t let people into systems, applications or security levels beyond their duties.

Terminated employee check list. Develop a procedure to shut off and block the ex-employee’s access the moment it becomes effective.

Audit ex-employee list. Check all employees who have left in the past 24 months to ensure all of their access is turned off and they are blocked from your network, website, applications and social media.

Protect your organization. Consider your ex-employees as hackers.