News

IT Underestimates Risk from 'Zombie Accounts'

A recent survey from Courion Corp. reveals that a vast majority (93 percent) of organizations "are confident that terminated employees pose no security risk to their systems by virtue of legacy access." Unfortunately, the report notes, many of these same organizations have limited or no knowledge of the systems to which their active and terminated employees actually have access.

Such unjustified confidence in system security "leaves companies vulnerable to attacks such as the recent 'zombie account' breach at the California Water Service Company (CWSC), in which an ex-employee returned to his office after-hours and successfully transferred $9 million to offshore bank accounts in Qatar, using his old password to access privileged accounts."

Courion, a provider of solutions to solve an enterprise's identity and access management (password management, provisioning and role management), risk and compliance challenges, said its survey, conducted last month, asked 236 business managers around the world about their practices. Half of the companies had at least 10,000 employees.

According to Courion, "These figures suggest that IT administrators may be overconfident in their ability to prevent data breach threats from zombie accounts, which can cost organizations millions of dollars in damages and tarnish brand reputation. Courion recommends careful inspection of Access Assurance policies to ensure that the right users have the right access to the right resources and are doing the right things."

In the survey, Courion asked respondents if their top security concern came from external or internal threats. Less than half (46 percent) chose "internal," which may explain why over half (53 percent) of IT managers are unaware of their employees' system access rights, which Courion says causes a proliferation of zombie accounts (accounts that remain active after employees leave a company). These administrators also are confident that such zombie accounts can't trigger a malicious attack or perpetrate a data leak. Courion points out that the CWSC incident is just one example of behavior that isn't registering with these security professionals.

Companies aren't necessarily quick to turn off access from employees who leave the enterprise. Although more than a quarter (26.8 percent) notify IT to de-provision a terminated employee from all systems and applications, almost half (48 percent) of organizations take a day or more to do so; 4.5 percent can take more than a week before such notification is made. Once notified, over one-third (34.8 percent) of enterprises revoke access with an hour, but nearly a quarter (22.8 percent) can take more than a day (and for some, more than a month).

Worse, almost one out of every 10 companies (9 percent) report that they "could never be completely certain" that access to IT systems for terminated employees was removed.

The survey also found that nearly one in every three companies responding to the survey (30 percent) manually provisions user accounts. Courion believes this "increases the likelihood of human error or delays when de-provisioning departing employees -- and ultimately the risk of data theft via zombie accounts."

Kurt Johnson, vice president of corporate development at Courion, added, "This data and recent examples such as CWSC are further evidence of the need for diligence in terminating user access as soon as an employee leaves the company -- even a short time gap leaves companies vulnerable to inappropriate access. Organizations can greatly improve their risk posture by implementing automated Access Assurance policies that reduce or remove the risk of human error and ensure users are de-provisioned as soon as an employee departs."

About the Author

Jim Powell is president and CEO of Daisytek International Corporation. He can be contacted at 972-881-4700 or [email protected].

Featured

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • Windows 365 Reserve, Microsoft's Cloud PC Rental Service, Hits Preview

    Microsoft has launched a limited public preview of its new "Windows 365 Reserve" service, which lets organizations rent cloud PC instances in the event their Windows devices are stolen, lost or damaged.

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.