Say you go to the doctor for an annual exam. It’s a simple process to detect problems and take care of yourself proactively. He suggests a blood test to check for a wide variety of problems. What does this have to do with inactive accounts? Follow along for a moment. By taking the time to get checked out, you can discover problems early on. Early detection and prevention are the name of the game in health. Your company’s cybersecurity needs a similar approach.
Why Do Inactive Accounts Pose a Security Risk?
Think of user accounts as keys to your company’s buildings. Each employee receives a key to come and go as needed. Some keys open just the front door while others unlock the server room. On a regular day, management may not worry much about who has the keys. When you don’t track your keys, a problem will develop and quietly start to expand. One month, two keys are lost. A few months later, it’s five keys. At this point, the odds of something dire happening such as lost company keys coming into the hands of criminals increases exponentially.
Inactive accounts are like keys that you’ve handed out to employees and then forgotten. You never know when that set of keys will be lost or fall into the wrong hands. Since inactive accounts are out of sight, they tend to be ignored. What are the consequences of neglecting inactive accounts?
The Perils of Inactive User Accounts Start with This
Employees come and go in all companies. Some industries, such as retail stores, have a turnover rate of near 100% each year. In other areas, employees may move around internally when they’re promoted or move to another division. Even when employees are completed content, they’ll eventually retire. All these changes gradually increase the number of inactive user accounts.
When you have dozens of user accounts, you have a major security risk exposure. These accounts are easier to attack. After all, no one is monitoring them. Fortunately, some organizations have rules and business processes in place to reduce this risk. For example, an inactive account may be deleted after 30 days of inactivity.
Unfortunately, inactive user account risk tends to be ignored compared to other cybersecurity problems. When the organization is hacked, your IT team may drop everything else to work on a response. Even your non-IT managers may become worried and preoccupied. If you continue to ignore inactive user accounts, the risk will grow as more employees move around and more systems are used.
What Can You Do About Inactive User Accounts?
Now, consider some of the strategies available that can help you handle the situation.
- Map the inactive user account problem accurately
Until you know the full extent of the inactive user account problem, it’s tough to make progress. First, check if your identity management solution has a premade report to address this issue. If you don’t have that available, start by creating a list of your most important systems.
How do you determine which systems are the most important? There are three general principles to use, namely, customer data, financial data, and the ability to make system changes. If a given user account has one or more of those features, it’s a critical system.
Resource: If your employees struggle with this process, your managers may need a user access management refresher.
- Identify the ex-employee inactive accounts
Inactive accounts assigned to former employees are high risk. People that have left the organization cannot be expected to safeguard information. To find the inactive accounts, carry out an analysis using these steps.
- Make a list of your most important systems
- Obtain a list of user accounts with last login date. Any account that’s been inactive for more than 30 days is a candidate for removal.
- Send a list of inactive accounts to HR for review. Ask your HR department to flag which user accounts belong to ex-employees.
- Start the account deletion process. Once you have these accounts identified, you can start shutting them down.
- Investigate employees who’ve changed roles
When someone changes jobs, his or her responsibilities change. That can lead to inactive accounts. If the employee moves from customer support to accounting, then he or she gains access to new systems managed by the CFO. However, that person should also lose access to customer relationship management (CRM) and related systems. You can use one of two methods to address this risk.
First, ask employees who’ve changed jobs in the past 12 months to do a self-assessment of their user accounts. Specifically, ask them to provide a list of all the systems and applications they use in their current and past roles. On this report, ask them to declare which user accounts should be removed. Using Lifecycle Management, you can automate and streamline identity control tasks. No more messing around with spreadsheets.
Second, ask HR to provide a report of employees who’ve changed jobs over the past 12 months. You can then verify whether you’ve heard from all employees.
- Implement a modern identity management solution
So far, we’ve covered ways to fix a legacy of inactive user accounts. Eventually, you’ll be caught up and have all your inactive user accounts deleted. At that point, you need to look at ongoing maintenance. Using an identity management solution such as Lifecycle Management makes it easy. Each employee can be equipped with a standard set of accounts specific to his or her role.
The Take-away Message
In cybersecurity, it’s easy to react to a crisis. Hackers break your systems, and you signal a red alert to your team! However, responding to an emergency is only part of the strategy. Proactive steps such as managing inactive user accounts make your organization more robust. If you have no significant problems on your agenda this week, schedule an hour to investigate the current state of your inactive user accounts.