5 min read

First Impressions and Cybersecurity

George V. Hulme

October 15, 2019

First Impressions and Cybersecurity

Some say first impressions aren’t everything, and in many cases first impressions can be wrong. But they certainly are powerful, and bad first impressions can be difficult to overcome. This is true for friendships, dating, potential business partners, and more.

It’s also true for new hires and how they view their new employers. Consider the difference between showing up for your first day and having access to all the resources you need to do your job: desk, phones, applications and services, security card, and so on. You’re happy and ready to work and be productive.

Now imagine you show up for work on your first day, and you don’t have any of that. You don’t have passwords to access the applications and online services. You’re locked out from the corporate intranet and are forced to sit and wait for access. You sit. And you sit and wait for a week. Not a good first impression and likely a good indication you just joined a company with a less-than-stellar IT department. Condolences.

Unfortunately, while the tools exist to get employees everything they need to start their work and be productive from day one, the latter scenario is all too common. A recent survey from IT operations management vendor Ivanti found that an astonishingly low number of businesses fit into the first scenario outlined above. In fact, just over 15% of employees actually get access to the resources they need to do their jobs on their first day on the job. The survey polled is based on an online poll, conducted this summer, of more than 400 IT professionals online.

When it comes to onboarding employees, 38% of IT professionals said it takes between two and four days to get a new employee everything they need to do the job, while 27% said greater than a week.

Obviously, this is bad news from a job productivity and job satisfaction perspective; further, 92% of survey respondents said it is a clear correlation between timely onboarding and their overall satisfaction with a company. It’s also bad news for security because, when it comes to effective identity management, this is a big red flag.

According to the survey, as employees change job roles, only 55% of respondents reported being confident that unnecessary access rights are removed after job changes, and these changes are still predominately manual (manual change is another sign of an immature identity-management program). Only 37% of survey respondents said that they are using a mix of manual and automated processes, while only 8% are fully utilizing automation.

Of course, decommissioning employees when they leave their position arguable creates the most risk. In the Ivanti survey, 26% of respondents said it can take their organization more than a week to deprovision an employee. And when considering the most recent employee to have left their organization, nearly half of IT professionals were only “somewhat” confident that the former employee no longer has access to critical data and systems.

When it came to the lack of deprovisioning staff, the greatest concerns of those surveyed included:

  • The risk of the leakage of sensitive data: 38%
  • The risk of a cybersecurity hack through an unmanaged account: 26%
  • The risk of malicious data detection/theft: 24%

Additionally, 52% of IT professionals know someone who still has access to a former employer’s applications and data.

These survey results are very disconcerting. Perhaps there was a time when such negligence was acceptable. But, for decades, it has been widely known that so-called orphaned, or unmanaged accounts, create significant risk. These accounts lay dormant just waiting to be compromised and used by an attacker. Organizations know it’s risky letting these unused accounts stay in existence, and they know how to solve this problem. And yet they don’t.



George V. Hulme

George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.

View all posts

You might also like