Mitigating Insider Threats and Zombie Accounts Amid Workforce and Contract Changes

The recent Twitter data leak, which exposed the personal information of 2.8 billion users, serves as a stark reminder of the vulnerabilities organizations face when disgruntled employees or contractors retain access to sensitive systems. This incident, suspected to be an insider job, underscores the critical importance of managing security and business risks potentially arising amidst workforce volatility. It is an especially important issue nowadays, as companies navigate massive layoffs and contract terminations.

When employees, contractors, or vendors leave an organization, their access to team services and applications must be promptly revoked. Failure to do so can leave “zombie” accounts — dormant accounts that remain active and act as security vulnerabilities. CISOs must always operate with a risk-aware mindset, assuming worst-case scenarios could happen and building policies, technologies, and processes to mitigate those risks.

Insider Threats from Disgruntled Employees

Disgruntled former employees can pose serious insider threats, including cybervandalism or selling their credentials to hackers. These risks extend beyond cybersecurity breaches to compliance liabilities under regulations such as SOX, GDPR, or HIPAA.

A notable example occurred in 2023 when two former Tesla employees leaked the personal data of tens of thousands of current and former employees to a German newspaper. Additionally, there is growing concern about disgruntled workforce potentially deploying AI agents or RPA bots within financially significant ERP systems to exfiltrate data or revenue to offshore bank accounts after their access is removed.

The Prevalence and Risks of Zombie Accounts

Moreover, dormant “zombie” accounts left enabled after termination are a common one attack vector for cyber criminals. Attackers may use brute-force attacks to guess passwords, hoping to find accounts lacking Multi-Factor Authentication (MFA), so that they can gain unauthorized access and start moving laterally within an organization’s systems. If successful, it is harder to detect attackers compromising accounts of former employees than existing ones.

The Verizon Data Breach Investigations Report 2024 highlights that the use of stolen credentials has appeared in almost one-third (31%) of all breaches over the past decade. For instance, last year, a hacker gained access to internal company tools using stolen credentials from a former employee at Tile, a leading Bluetooth location-tracking device vendor, breaching multiple systems and stealing sensitive data – a stark example of the severe consequences of delayed incident response in the case of a stale account compromise.

Identity Hygiene Measures

Proper identification of all human identities with access to an organization’s services and applications is crucial for assessing risk posture. This involves maintaining an inventory of applications, ideally sorted by risk to the organization, to facilitate the termination of access to these assets. These practices align with the NIST Cybersecurity Framework (CSF) 2.0’s “Identify” core function, which emphasizes the importance of understanding and managing cybersecurity risks.

Even with the above controls in place, organizations might still face increased security risks when offboarding a high volume of employees. As employees’ roles change throughout their careers, their access permissions might not be updated properly — especially for those who were granted elevated or emergency access that may not have been documented — increasing the risk of oversight during de-provisioning.

Best practice dictates that application account logins for terminated workforce members should be disabled in coordination with HR notifying the individual, and no later than 24 hours after notice. However, in modern enterprises where dozens—if not hundreds—of applications are in use, each potentially requiring separate credentials or permissions, oversights are not uncommon, exposing the organization to security risks. This risk is particularly high in companies lacking modern identity security and access governance automation.

Without automation, IT teams must manually revoke every access permission tied to each application, increasing the chance of human error, which might take weeks. With an automated identity governance solution, deprovisioning can be triggered by changes in an employee’s HR status. This ensures immediate and complete revocation of access, minimizing human error and reducing the deprovisioning time from weeks to just a couple of days—or even instantly.

Overall, identity hygiene best practices involve several stages on the path to mature identity governance. This starts with clear policies on how users are granted and maintain access to systems, progresses to basic automation for provisioning and access reviews, and culminates in application governance automation. The latter advanced approach enables automated provisioning by continuously monitoring the risk associated with access—both when it’s initially granted and during periodic reviews—and restricting it further through the use of emergency access management controls. With such an approach in place, massively offboarding people would become just another routine task for an organization.