Employees’ Access Credentials Linger Long after They Leave


Identity and access management (IAM) has become the front line of security. To reduce the risk of data leaks and security incidents, organizations must ensure that only the right individuals have the right level of access to the right resources. IAM plays a particularly critical role in preventing the insider threats that pose the greatest security risk.

One of the most elemental security best practices is the revocation of access credentials when a worker’s employment ends. Even if the departure is on friendly terms, the organization should immediately disable that person’s access to systems and networks.

However, a new study from OneLogin suggests that many organizations aren’t doing that. Nearly half (48 percent) of IT decision-makers surveyed said they are aware of former employees who continue to have access to corporate applications. Further, 20 percent said that failure to revoke employee credentials has contributed to a data breach at their organization.

The study is based on the results of a quantitative survey completed by 500 U.S.-based IT decision-makers. Each of the respondents serves in a corporate IT department and has some level of responsibility for the company’s IT security. All of the companies represented provision and deprovision employee credentials in-house.

The study found that the length of time required to deprovision ex-employee accounts varies greatly. Half of survey respondents said that such accounts remain active for longer than a day, while 25 percent said it takes more than a week to deprovision them. Another 25 percent said they don’t know how long accounts remain active after an employee leaves the company. Close to half (44 percent) lack confidence that former employees are ever removed from corporate networks.

Technically, anyone who has authorized access to an organization’s IT systems is an “insider.” That includes individuals who are no longer employed by the company and therefore not subject to its policies.

Few ex-employees are likely to use their access credentials to perpetrate a cyberattack. In a recent survey by security provider Bomgar, respondents said they were less concerned about malicious insiders than employees unintentionally mishandling sensitive data. They also worried that an employee’s credentials could be phished by cybercriminals.

However, the risks posed by malicious insiders should not be underestimated. Such insiders can use their knowledge of an IT environment to cause tremendous damage to an organization’s systems and network. Because they have authorized access, they are often able to operate undetected for weeks, months, or even years, giving them ample opportunity to wreak havoc. According to a report from IBM X-Force Research, insiders were responsible for 60 percent of all cyberattacks, and two-thirds of those attacks (44.5 percent of all attacks) were carried out by insiders with malicious intent.

Business leaders should be alarmed by these statistics and move quickly to close any gaps in their organizations’ IAM policies and procedures. An employee’s access credentials should be revoked immediately upon termination. Similarly, the credentials of contractors, business partners, and other users should be revoked when their relationship with an organization ends. All user credentials should be frequently reviewed to ensure that access privileges are appropriate for each user’s role.


For more information about Identity and Access Management, please send us an email at (

Leave a Comment