“Leavers” are the biggest threat to the IT security of German companies
SailPoint, a leading provider in the field of identity security, today presents the results of its study “Challenges and opportunities in the use of Identity Security – the leaver as a source of danger”. The survey was conducted in cooperation with the analyst firm techconsult GmbH.
100 decision-makers or people heavily involved in the decision-making process were interviewed about their assessments of identity security in the company, challenges in the use of identity security solutions and the greatest threats for them in the field of IT security. The participants belonged to companies with more than 1,000 employees from a wide variety of industries and were interviewed in the survey period of March 2021.
First of all, the study illustrates how ubiquitous the cloud is already in German companies. 38 Percent rely mainly on cloud solutions, but continue to operate some important critical functions on site, while 18 percent rely almost entirely on the cloud. Only 9 percent are currently still pursuing a “no-cloud” strategy. This cloud superiority, as well as the accelerated digitization in general in the context of the pandemic, offers employees and employers numerous advantages. On the other hand, however, unprecedented risks for IT security are opening up. More and more applications, cloud services and new, stricter data protection and compliance regulations make it difficult for IT departments to keep track and secure the corresponding interfaces to their own company.
Questions such as “Which user has access to which company resources and data with which devices and which applications?“ become essential in the context of digitization and can be answered, for example, with the help of a suitable identity security strategy.
But what exactly does the implementation of identity security look like in companies? Is it automated or manual work? The results are sometimes sobering. Less than half (48 percent) of the companies stated that they have an extensive identity strategy that, for example, fully automates role-based access to data and resources. 42 Percent of companies regulate access for each employee individually and according to their role in the company. The rest do not have any pre-defined measures for controlling accesses and access authorizations in the company.
The study also provides insights into how German companies deal with personnel changes – for example, if the role of individual employees changes, they move to other departments or leave the company. The key question here is: “After many years, would companies still know who has access to which resources with which device? ” This problem can also be solved relatively easily with a suitable identity security strategy – for example, if suitable measures for onboarding and offboarding of employees have been implemented. With such measures, new, changing or departing employees can be assigned or withdrawn in a software-supported and fully automated manner.
When employees leave the company or change departments, the majority of them still have a manual process within IT to adjust the assignment of rights. In half of the companies, IT is commissioned by the departments or persons designated for this purpose to adapt and block the accesses accordingly. At this point, glaring errors can arise. Especially if, for example, it is not documented with which devices affected employees have access to company resources. Imagine that an employee leaves the company and, for example, once received access to certain cloud services on demand with his private mobile phone. There is a risk here that this employee will have access to sensitive company data long after leaving the company.
For this reason, it is gratifying to realize that 41 percent of companies have already implemented software-supported and fully automated onboarding and offboarding of employees. This is a strategy that offers maximum security, especially with regard to the increasing number of mobile and home office workstations, BYOD strategies and the associated rapidly increasing number of devices with network access. Unfortunately, seven percent of companies still have not defined any regulations or rely on employees who leave the company or change departments to apply to IT to block their accesses on their own initiative. It is doubtful whether this is being done to a sufficient extent – especially for employees who do not leave the company voluntarily. This not only makes it clear how much danger to the IT security of a company emanates from the so-called “leavers”, but also how important it is for those responsible to keep an accurate overview of granted access rights. This is the only way to successfully minimize these risks.
To ensure that digitization does not become a stumbling block, companies should urgently recognize the danger of insufficient identity security and not rely on manual, error-prone processes. The study makes it clear that there is still some catching up to do here. It is advisable for companies to rely on a modern and fully automated solution from the field of identity security – because: Although the know-how for the implementation of identity security in the company is lacking in many places, but with the help of service providers specializing in identity security, this can be raised to a new level. With cloud-based identity-as-a-service solutions, companies can place the entire identity security in the hands of experts and are thus immune to the future challenges in terms of IT security.