Imagine an ex-employee, who was fired by your company, takes revenge by hacking into your IT system. They’re able to do this because passwords of systems they had access to have not been changed. Within a few hours they could potentially do significant damage to your organisation’s infrastructure.

Revenge attacks can happen

Hopefully this is not something that will ever happen to your business, but it’s not unheard of. In 2017, an ex-IT employee at the American College of Education changed the password to an online Google account that stored email and course material for the college’s 2,000 students. And, because he was the sole administrator of the account, not the company, Google wouldn’t comply with the request to grant access to the account. 

More recently in the UK, an IT administrator hacked not one, but two previous employers. He was able to do this because the admin passwords weren’t changed after he had left. 

Have protocols in place for when staff leave

To prevent this happening to you, it’s important to have protocols in place for when employees, particularly IT staff, leave. This includes:

  • Carrying out a thorough review of the access permissions granted to that person
  • Terminating access and resetting passwords
  • Transferring passwords owned by that person to someone else
  • Assessing potential password sharing. Staff sometimes share their access details with each other for ease. Make sure anyone who might have done this changes their passwords

Ensure you maintain good security protocols

Even if an employee isn’t leaving, there are a number of things you should do to enhance security

  • Make sure the admin of all key services is under the name of the company, NOT an individual
  • Have centralised ownership and protection over all passwords
  • Delete any disabled accounts
  • Set up business password managers for all employees to use
  • Only share the passwords an employee needs to do their job. Nothing more.
  • Regularly change your admin passwords. You make employees do it for their own accounts, so IT staff should too.