The challenge of protecting your company from “cyber exits”

More than 30% of employees still have access to a previous employer's digital assets. Only 59% have notified the company and many have used them to cause intentional harm.


Almost every industry has gone through rapid digitalisation over the past decade, and consequently the content of their software applications has become central to value creation. This means that the IT administrator in charge of defining digital access rights has turned into a guardian in control of who is allowed to have keys to the company’s innermost assets. Ensuring that only those who have a legitimate reason have access to digital assets might sound like an easy task, but as every IT administrator knows it is a responsibility that requires him/her to keep up with a moving target.

Most IT-intensive companies have good processes in place for setting up digital accounts for new hires. The challenge is that organisations are in constant change – people change responsibilities, move from one department to another, both departments and companies merge and sometimes people leave for pastures new. Informing the IT administrator of these changes so that he/she can keep the keys to the company’s inner gates in the right hands is often forgotten. In our experience, 20% of the digital accounts in an average organisation belong to people who no longer have a legitimate reason for keeping it open. A study published by My Tech Decisions in 2022 revealed that 31% of a sample of 1 121 employees across the US, the UK and Ireland still had access to a previous employers’ software: More Than A Third Of Former Employees Still Have Access To Company Data - My TechDecisions

Cyber exits blog

Failure to maintain digital access rights is not only an administrative problem but it also exposes the company to unintended business risk. What if a disgruntled employee whose access to your developer team’s product roadmap in Jira is left open moves on to work for your main competitor? According to the same study from My Tech Decisions, 70% of employees who had been fired had used “forgotten” accesses to intentionally harm their previous employer. Only 59% of respondents who discovered that digital accesses had not been deactivated when they left notified the company.

In Kantega SSO, our experience is that the digitalisation of many industries has turned Jira into a more mission critical software than it used to be. As an example, I previously worked for a Nordic payments provider where Jira both was the source of the entire product roadmap and a key tool for managing the P&L since software development hours was 70% of the cost base and all estimation and time tracking was done in Jira. Because this company is very conscious of cyber security it has processes in place that made sure that all my digital accesses were closed at midnight on the last day of my employment. Unfortunately, we have met many companies that use Jira in similar, business critical ways but that do not have as efficient processes in place to ensure instant deactivation upon departure. These companies risk that sensitive information about product development, market plans and financials are leaked to competition without them ever being noticed.

To minimise exposure to this type of “cyber exits” we in Kantega SSO recommend our customers to make sure to put processes and tools in place that provide the IT administrator with intuitive overviews of the activity levels across the user base and that allow him/her to configure automatic offboarding rules that close or deactivate users according to the logic that makes sense in their business context. Because external users who are given temporary access to company assets, for example customers who help the company beta test a new software, have a more loosely knit bond to the company than its employees we recommend implementing stricter deactivation/offboarding policies for external than for internal users.

Our Single Sign On plugins for Atlassian data centre have built in functionality for cleaning up inactive users. We have recently refined this functionality and launched in in four separate apps that are available for both data centre and cloud with the objective to make it easier for IT administrators to monitor activity levels for all Jira accounts and to protect your company from unfortunate “cyber exits”.

Our Automated User Cleanup & Deactivation apps are available on: Automated User Cleanup & Deactivation for Jira | Atlassian Marketplace

If you want to discuss you needs with one of our experts, feel free to book a meeting with us on: Select a meeting · Book a support or demo meeting with Kantega SSO (youcanbook.me)

Similar posts