Massive layoffs in the financial services sector have created a ticking security time bomb

(16/12/2008)

Courion Corporation has warned that massive layoffs in the financial services sector over the last few months have created a ticking time bomb in the financial services industry, putting confidential consumer or corporate information at risk.

Major security risks include:

* Millions of potential zombie accounts – Employees can accumulate an average of 15 to 20 user accounts over the course of employment and it typically takes an enterprise three to five minutes to manually turn off each account upon termination. Organizations faced with having to terminate hundreds of thousands, or even millions of accounts, may think that simply terminating an employee’s network access is sufficient protection. However, due to the complexity of today’s web-enabled IT environments, this approach is increasingly ineffective because it does not remove access to some web-based accounts or online SaaS providers like Salesforce.com. Laid-off employees can easily exploit the lag time between being laid off and having all of their accounts shut off to access sensitive company information. Even worse, usernames and passwords pertaining to zombie accounts could be shared or even sold to the highest bidder, giving cyber-criminals access to sensitive information without the need for sophisticated hacking techniques.

* Identifying and closing zombie accounts – Since mid-2007, financial services firms have laid off nearly 170,000 employees and, according to executive search firm CTPartners, job losses in this sector are expected to total 350,000 in mid-2009. Last week, Credit Suisse, HSBC and Nomura Holdings announced 2,150 jobs cuts in their London and greater Britain operations. In November, RBS reduced its workforce by 3,000 while U.S.-based Citigroup announced 50,000 job cuts. In the case of Citigroup, the company is confronted with the daunting task of closing up to a million total accounts pertaining to the terminated employees. For Citigroup to manually deprovision a million accounts – assuming an average of three minutes per account – would require 50,000 man hours. During the lag time in turning off accounts, Citigroup would be an easy target for data theft.

* Laid-off employees with malicious intentions - A recent Cisco-sponsored survey of 2,000 employees and IT professionals reported that one in 10 end-users had either stolen technology, accessed someone else’s computer, stolen information and sold it, or knew of co-workers who did. In the case of the Citigroup and RBS layoffs, potentially thousands of former employees could be inclined to steal information through zombie accounts.

* Major data breach – Earlier this year, LendingTree reported that former employees who had access to zombie accounts were illegally accessing mortgage applications and even selling user names and passwords to mortgage lenders. The data breach harmed the credit scores of numerous consumers and prompted several class-action lawsuits. Fired employees know that their former employers are often slow to suspend access to accounts and disgruntled employees could easily cause harm through accessing, stealing, and disseminating confidential information before all of their accounts are completely turned off.

* Major internal breach – Nearly 90 percent of asset loss incidents in businesses result from employees having privileged access to IT systems and applications. This proved to be costly for Société Générale when an employee who had access to many different systems and accumulated numerous authorizations used the computer logins and passwords of colleagues in the trading unit and the technology section to hack into several computer systems and circumvent credit and trade-size controls. Because the company likely did not have effective controls in place to control privileged access to systems and applications, it was hit with $7 billion in losses.

Courion recommends that major financial services organizations protect themselves against zombie accounts by following common-sense steps, such as:

- Implement an IT access assurance framework that automatically turns off access to terminated accounts – As a standard practice, Courion recommends that organizations implement a comprehensive access and compliance management framework that has the capacity to automatically provision new employees and deprovision terminated employees.

- Make sure that all employees have access to only the information needed to do their jobs – Many employees who have been with an organization for an extended period of time not only take on new roles and responsibilities within their organization, but also acquire access to new accounts. Over time, these employees may have access to accounts that no longer pertain to their current job duties. Courion advises that organizations revise access rights to employee accounts upon change in job function or promotion.

- Regularly update system administrator passwords – One gaping security hole in many organizations is that many people share highly privileged system administrator passwords for vital networks, servers, databases and applications. Many companies fail to change the password upon the termination of one of the administrators, thereby giving some former employees unfettered access to the entire network. These administrator passwords should be changed on a regular basis and immediately upon the termination of an administrator.

- Deploy a compliance monitoring and reporting capability – Organizations also need to provide business managers with automated tools that enable them to quickly and easily certify to internal and external auditors that only current employees have appropriate access to sensitive corporate assets.

Related topics:  Authentication and identity management   Data management and data security   Network Security   Security management and policies   Security threats and vulnerabilities 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources