The talk of the news recently (well, for what was like an eternity ago considering the 2 hour news cycles we suffer from now before something even more shocking comes along), has been the president revoking the security clearances of people who used to work in the federal government. Right or wrong, whether you agree or disagree, the topic does raise some interesting parallels in the corporate world, and that applies to collection agencies as well.
There was a recent case where an individual fired from a medical facility in Tennessee had previously shared access to the institution’s files with his home email address. Once he was terminated, the shared access was not removed because the company did not know access had been shared. Only after the facility noticed that 300 files had been moved or tampered with did they think to look.
The facility had taken several steps after the employee had been fired to ensure the employee would not have access to any files. The employee’s email address was changed and the individual's account access to sensitive data was removed. However, no one thought to check alternative means associated with the former employee because they didn’t know such a path existed.
Former employees can be a significant security risk for companies. If email credentials are not changed or suspended, former employees can still send and receive email from their corporate account. If key codes are not changed or keys not taken, former employees may still be able to access the office. If access to servers or files is not terminated, those individuals may still be able to log in and access them remotely. Voicemails need to be reset, computer login information needs to be changed, multi-factor authentication profiles need to be suspended, etc. - all to keep former employees from being able to access sensitive company information systems.
There should be a checklist that companies go through to wall themselves off from former employees, whether they leave willingly or otherwise. Without that process, any company is vulnerable to having their data stolen or accessed and potentially manipulated or shared.
A study from a few years ago revealed that 13% of IT professionals still had access to their former employers’ information systems using old credentials. Another study revealed that one-third of former employees still have access to their previous employer’s confidential data.
Companies, including collection agencies which have tons of personally identifiable and confidential information stored within their systems, need to be hyper-vigilant that former employees do not have access once they leave the office for the last time.
You would never issue physical keys to every employee then never ask for them back or change the locks when they leave, but that's exactly what you're doing if you don't address access credentials when an employee resigns or is terminated. It may not be holes in the walls or stolen office supplies at risk, but in many ways it can be much worse and result in far more damage to your operations, reputation and/or bottom line.