The looming threat of redundancies resulting from the recession has highlighted a surge of high profile internal data thefts. Both in the UK and oversees, the media has regularly reported instances of inappropriate access to sensitive company data. For example, in the US, at the California Water Services Company, an auditor resigned, but illegally accessed computer systems to steal more than $9 million before leaving. These cases, whilst ethically unjust, also highlight data protection concerns. If organisations do not have visibility over who is accessing confidential data, they risk losing more than their critical data, but also their reputations, and as a result, their customers. Unfortunately, this is just one saga in an ever growing litany of tales of breaches that we’ve been hearing about.

Symantec’s research with the Ponemon institute has in fact suggested that 59 percent of ex-employees have admitted to stealing confidential company information, such as customer contact lists. This outstandingly high number encourages us to consider how such thefts and security risks can be prevented moving forward. Did all of these employees really need access to such valuable data? If not, senior executives should be addressing their access management policies, and ensuring that they have visibility over what data is being accessed, by who, and why. Without this control, businesses leave themselves at risk from existing staff, staff that may be made redundant soon, or have previously been part of the organisation. In order to protect themselves, organisations can use basic security access tools such as the coupling of Strong Authentication and Single Sign-On (SSO), which authenticates and then tracks each user’s access. This will allow managers to have visibility over access across their organisation, preventing inappropriate access from occurring.

Astonishingly however, it is not uncommon for an employee to continue to have access to business applications even after the employment has been terminated. Many organisations simply neglect to close down access, and consequently user identities are left open and vulnerable for an unjustifiably long period of time. As organisations are looking to host more and more of their applications through web-based systems, they may not even know that the employee may still have access rights to some applications. All this time, the ex-employee will be able to access sensitive and competitively valuable information. This unnecessary risk exposes businesses to tangible damage, which can be easily avoided by the speedy deactivation of the user’s access.

In order to avoid such mistakes, businesses should ensure full visibility over access records, employee access rights, and accounts that need to be removed. Deactivating orphaned account access is a critical first step towards comprehensive enterprise security. It is crucial that businesses can track which employees have access to specific systems, and when employee’s leave, that they are able to quickly deactivate access. Without this fundamental level of access management, businesses are unable to maintain basic control over their most valuable business asset- their company’s data.

Whilst locking down accounts is a critical step to take following any termination of contract, it is equally important to efficiently manage access during employment. When setting access levels for existing employees, it is crucial to allow users access to the information required to perform their job function, but at the least level of access possible. By fully tracking these privilege levels with tools such as SSO, senior executives can take steps to ensure access issues are not overlooked, and control over who may be accessing what and when is maintained.

Setting basic access control is simple. It is advisable to start by getting a handle on which users need access to what information. By first analysing what access users require to do their jobs, reasonable boundaries can be defined for access outside those defined roles. Enforcing these access rights is not as complex as it may sound. Technology such as Single Sign-On makes it quick and easy to enroll users and assign access rights, whilst using strong authentication such as biometrics can ensure that the right person is accessing the data they are authorised to see, thereby protecting sensitive data. In today’s market, keeping this information is more important than ever, not only for compliance and peace of mind, but also to protect the two key "R’s"- Revenue and Reputation.