The 7 Deadly Sins of IT Turnover: Is Your Password Security at Risk?
Turnover is rarely good for any company. Not only does turnover require companies to spend an estimated 1.5x to 3x the lost employee's salary to identify a replacement, but the employee often leaves with specialized knowledge that you may never recover.
For IT service providers and MSPs, technician turnover can be even worse; technicians often leave with very sensitive password data that can provide them with continued access to customer accounts, financial data, VPNs, and more.
There are specific things you need to do (such as changing all passwords) when a technician leaves, but many password administrators simply don't do this - either because of time concerns, or because they think they are safe.
Unfortunately, that's not always the case. I've talked to many administrators that have reached out to me after a password security disaster occurred. In many cases, the disaster could have been avoided simply by following password management best practices during techy turnover.
If you are experiencing any turnover, please keep these 7 deadly sins in mind:
- Complacency - Underestimating the importance and impact of taking action when staff leave or are let go.
- Ignoring the business risk - Believing that a staff member leaving the company doesn't pose a threat to the business, or the clients they serve.
- Failing to plan - Not having a documented process to deal with revocation of access across all customer networks for employees who leave or are let go from the company.
- Low knowledge of user access - Failing to keep track of what access staff have been given while with the company, and the ability to confirm what access is revoked once they are gone.
- Password aren't changed - After someone leaves the company, the passwords they had access to are not being changed. Especially for sensitive domain credential and critical edge devices like firewalls and VPN endpoints.
- Absence of auditing - Not having visibility to tell if the former employee is attempting to gain access remotely after they have left the company.
- Lacking staff accountability - Even when their passwords are changed, what good is it if the employee can log in as one of their previous co-workers, or through shared accounts that haven't changed?