I read on Linkedin this week that up to one-third of former employees are still accessing company data–after their last day.
I wish I could say I was surprised. But I remember on my last day at one former employer, I turned in my badge, mentioned that I still had some paperwork to fill out and asked if I could have a couple of hours before my accounts would be de-activated. The guy laughed, and I won’t say how long he estimated my accounts would still be good. It was too long.I worked another place that never deleted any accounts, for legal reasons. I think they were hurting themselves a lot more than they were helping themselves with this policy, but they never asked me. People generally worked there for a year or less or for decades, with very little in between the two extremes. Their high turnover meant a lot of ex-employee accounts. I was in the year-or-less crowd, and I spent most of my less-than-a-year there investigating dead accounts and the processes they used to handle them.
Since I wasn’t convinced they had the process down when I left, I secured my own account on the way out the door. I set my password to something long, random, and unguessable before I logged off for the last time. Then, if anyone ever tried to use my account after I was gone, they’d quickly lock out the account. If an insider ever re-activated my account and reset the password and then something happened, they’d have logs to indicate who did it. These protections are less than ideal, but at least they’re something.
The very best thing you can do to protect your company from disgruntled or just plain unethical ex-employees is to delete their accounts as quickly as possible, preferably before they’ve left the parking lot. That account is every bit as dangerous as the ex-employee’s ID badge and keys, so don’t let the account exist any longer than you’d be willing to allow that ex-employee to possess the ID and keys.
If you can’t delete the account immediately because the person worked in IT and you suspect there may be critical processes using that ID–that’s not supposed to happen, but it does from time to time–then don’t delete it immediately, but disable the account, change the password, document all of the privileges the account had, and then delete all of those privileges. Then watch to see what breaks, if anything. After a couple of weeks have passed, delete the account.
When I left my last pure sysadmin job, I actually did exactly that. I disabled all of my old accounts, then on my way out the door, provided a list of accounts to the other sysadmins, just in case. That way if something was running under one of my accounts–in the heat of the moment that happens sometimes–they could take over the account, fix whatever was broken, then get that process running under a proper service account. Since I trusted those guys, they trusted me, and I was moving to a job in the building literally next door, I had no problems doing that.
That goes to show that things work even better if your work culture reduces the number of disgruntled employees, but saying stuff like that tends to get me in trouble.