IT Underestimates Risk from 'Zombie Accounts'

A recent survey from Courion Corp. reveals that a vast majority (93 percent) of organizations "are confident that terminated employees pose no security risk to their systems by virtue of legacy access." Unfortunately, the report notes, many of these same organizations have limited or no knowledge of the systems to which their active and terminated employees actually have access.

Such unjustified confidence in system security "leaves companies vulnerable to attacks such as the recent 'zombie account' breach at the California Water Service Company (CWSC), in which an ex-employee returned to his office after-hours and successfully transferred $9 million to offshore bank accounts in Qatar, using his old password to access privileged accounts."

Courion, a provider of solutions to solve an enterprise's identity and access management (password management, provisioning and role management), risk and compliance challenges, said its survey, conducted last month, asked 236 business managers around the world about their practices. Half of the companies had at least 10,000 employees.

According to Courion, "These figures suggest that IT administrators may be overconfident in their ability to prevent data breach threats from zombie accounts, which can cost organizations millions of dollars in damages and tarnish brand reputation. Courion recommends careful inspection of Access Assurance policies to ensure that the right users have the right access to the right resources and are doing the right things."

In the survey, Courion asked respondents if their top security concern came from external or internal threats. Less than half (46 percent) chose "internal," which may explain why over half (53 percent) of IT managers are unaware of their employees' system access rights, which Courion says causes a proliferation of zombie accounts (accounts that remain active after employees leave a company). These administrators also are confident that such zombie accounts can't trigger a malicious attack or perpetrate a data leak. Courion points out that the CWSC incident is just one example of behavior that isn't registering with these security professionals.

Companies aren't necessarily quick to turn off access from employees who leave the enterprise. Although more than a quarter (26.8 percent) notify IT to de-provision a terminated employee from all systems and applications, almost half (48 percent) of organizations take a day or more to do so; 4.5 percent can take more than a week before such notification is made. Once notified, over one-third (34.8 percent) of enterprises revoke access with an hour, but nearly a quarter (22.8 percent) can take more than a day (and for some, more than a month).

Worse, almost one out of every 10 companies (9 percent) report that they "could never be completely certain" that access to IT systems for terminated employees was removed.

The survey also found that nearly one in every three companies responding to the survey (30 percent) manually provisions user accounts. Courion believes this "increases the likelihood of human error or delays when de-provisioning departing employees -- and ultimately the risk of data theft via zombie accounts."

Kurt Johnson, vice president of corporate development at Courion, added, "This data and recent examples such as CWSC are further evidence of the need for diligence in terminating user access as soon as an employee leaves the company -- even a short time gap leaves companies vulnerable to inappropriate access. Organizations can greatly improve their risk posture by implementing automated Access Assurance policies that reduce or remove the risk of human error and ensure users are de-provisioned as soon as an employee departs."

About the Author

Jim Powell is president and CEO of Daisytek International Corporation. He can be contacted at 972-881-4700 or [email protected]


  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus