Passwords have become real problems for system users and security experts. Recent studies demonstrate that the majority of system intrusions are due to password compromises as most users apply poor password management practices.

Biometric authentication challengesMany of us have a multitude of accounts that we access with a single password because we are tired of forgetting or resetting passwords and to make things even worse, we sometimes let the system save the passwords for us which adds to our security problems because anyone with access to the computer can access our accounts and that includes our cleaning crew and other visitors. Plus, many of us choose either simple passwords or write the passwords down to remember them later. When we use the same password to access multiple accounts, we expand our risk because if our passwords are stolen, hackers can access more of our accounts with just one password.

As you see, passwords can cause problems if they are not handled properly and we need to consider other solutions. In fact, Verizon’s security report stated that the number of data breaches involving stolen or weak passwords has gone from 50% to 81% during the past three years. This alarming trend clearly illustrates that today’s security isn’t working.

Before we move forward, let’s recap the three common factors used for authentication:

  • Something we know (such as a password)
  • Something we have (such as a smart card)
  • Something we are (such as a fingerprint or other biometric method)

Authentication is further described in the CIAM and CAMS certification programs.

Biometric Authentication Solutions

To solve the password security problem, the industry is introducing new solutions such as biometric authentication and multi-factor authentication. With multi-factor or dual-factor authentication, the problem remains the same if one of the factors happens to be, you guessed it right, a password. It is often said that the weakest link in an organization’s security is its people. Here, we emphasize that the weakest link in the multi-factor authentication process is the password if it happens to be one of the authentication factors.

Biometric Authentication Benefits

The use of biometrics for authentication allows the system to identify and permit people into the system through their physical features. Typically, a biometric system scans and records your distinct features and saves them in a database, then uses the data to identify you later. Today there are various biometric identification methods, including voice, iris and retina, facial, gait, fingerprints, and vein detection. The advantages of using biometric authentication include:

  • No need to remember passwords to gain access
  • The authentication mechanism is strong since it is hard to replicate biological features
  • It is non-transferable to other persons

Biometric Authentication Statistics

According to a report published by Spiceworks, nearly 90 percent of businesses will soon use some type of biometric technology for authentication.  In fact, some 62 percent of companies already use biometrics in some form, with another 24 percent stating their intention to do so within the next few years.

Here is the breakdown:

  • 57 percent of companies using biometric authentication use fingerprint scanners
  • 14 percent use facial recognition
  • Five percent make use of hand geometry recognition
  • Three percent use iris scanners
  • Two percent use voice recognition
  • Two percent use palm-vein recognition

Biometric Authentication Challenges

While biometric solutions have many advantages, they also present two major biometric authentication challenges that must be considered:

Privacy and Data Breach

Biological characteristics are unique and nearly impossible to replicate, making biometrics a secure access solution. Passwords on the other hand can be shared and easily stolen by hackers because “people” manage their passwords. 

Biometrics poses the challenge of privacy since the key features of recognition is exposed to the world. For example, others can record your voice, use your image without consent in facial recognition or copy your fingerprints from an object surface you have held.

If the identity management systems get compromised, hackers can leak or steal your biometric data. Since your biometric information is irreplaceable, malicious people can perpetuate criminal activities as long as they possess your data.

Errors

Biometric equipment is subject to two common mistakes, False Acceptance Rate (FAR) and False Rejection Rate (FRR). FAR is the likelihood that the system will accept an unauthorized person, while FRR is the measure of times the system rejects attempts by an authorized user.

The biometric technology works on the theory that authorized users have a high pattern score than imposters who are denied access accordingly. It implies that as the FAR declines, then the FRR rises, and the vice-versa is true. Should an imposter’s score exceed the minimum identification threshold, then access is authorized. The reverse is also true. If the authorized user scores below the maximum acceptable score, then no permission is granted.

The error rate could happen due to age, climate changes, or physical conditions. These errors can bring challenges to the entire system and lead to devastating consequences.

Thought Leadership

The good news with biometric authentication is that system users don’t have to remember or write down any password or secret information. In fact, users can access any system seamlessly by presenting the required biometrics which are unique and measurable physical characteristics such as face, hand, or fingerprint. 

According to Henry Bagdasarian, “the portability of biometric authentication may present more problems that passwords because if our physical characteristic data is stolen to recreate the authentication object whether it’s our face or hand, then all of our accounts with biometric access control are at risk”. You might argue that a single password which we use to access multiple accounts can also be stolen to access our accounts however while a stolen password can be reset, a physical feature can not unless the security industry can guarantee that our biometric data can never be stolen to recreate the authentication object. “From a security limitation standpoint, someone can always threaten us to access our account with our fingerprint but the same weapon can also be used to force us to enter a password or PIN which is something the industry can not do anything about unless advanced authentication systems can sense human fear”. While the portability of biometric authentication is natural and accepted, the portability of password used to access multiple accounts is not. This is because we now know that passwords cause most security problems while biometric authentication is new and untested.

Authentication Models

Other authentication models that the security industry is contemplating and using include knowledge-based and adaptive authentication. There is no doubt that the death of password as a single factor authentication is near but we hope that adaptive or other authentication methods do not include passwords while new solutions such as biometric authentication improve the security landscape and do not make it worse.

Conclusion

We cannot separate a person from their biometrics. Thus, biometric solution providers need to invest heavily in systems security to curb the challenge of privacy and data breach. Adoption of new security measures and technologies can help the industry stay ahead of fraud advancements.

The error rates in the biometric systems exists and must be addressed. It is possible to reduce this occurrence through proper examination and evaluation of data quality to reduce biometric authentication challenges.

In the wake of increased cybercrimes, companies need to safeguard their systems and data at all costs. We cannot downplay the value of biometrics in protecting our data. However, due to the challenges facing the technology, using a multifactor authentication technique will help strengthen the security of your systems.

Identity Management Blog

Access management and authentication methods may be evolving, but passwords don’t seem to be going away any time soon and the following 7 password attack methods continue to be used. An estimated 300 billion passwords still exist by 2020, making proper password management a must for businesses of all sizes.

Robust password management strategies aid in safeguarding user accounts against common password attacks. Hackers use a variety of methods to obtain password information, and businesses without proper security in place are at risk for devastating and expensive breaches.

7 Password Attack Methods

7 Password Attack Methods Hackers Use

A password attack is any means by which a hacker attempts to obtain a user’s login information. The approach doesn’t have to be sophisticated. In many cases, passwords can simply be guessed after trying a few common phrases, such as “password” “123456” and “qwerty” which ranks high on the list as a password of choice among users. The rest of the time, hackers may rely on one of the following common password attack methods.

Brute Force
In a brute force attack, hackers literally attempt to “beat down the doors” of user accounts by employing a computer program to quickly run through as many number and letter combinations as possible. Some attacks begin by trying common passwords and move on to more complicated phrases; others methodically try every conceivable password combination until the correct one is found.

Dictionary Attack
Using a base “dictionary” of likely passwords, hackers attempt to log into one or more user accounts on a network. The only reason this kind of attack works is because users continue to rely on easy-to-guess words for their login credentials, making the job of password cracking simple for malicious third parties. If hackers gain access to one account, they may be able to glean information allowing them to access other user accounts.

Credential Stuffing
Credential stuffing attacks prove the dangers of re-using the same credentials for numerous accounts. Even after passwords and other details are reset following a breach, hackers may attempt to use previously stolen credentials to obtain access to users’ accounts on other platforms. Hackers also sell lists of stolen passwords to each other, which can result in widespread malicious activity and increase breach risk across networks.

Social Engineering
Phishing remains the number one social engineering method used by hackers. Employees receive apparently legitimate messages from someone else in the company, often with a link to click, a file to download or a request for login information. Responding to these emails results in either malware being installed on the network or credentials being stolen. Hackers may also try offline techniques, such as making phone calls and posing as someone from the IT department asking for password information to help fix a technical problem.

Traffic Interception
Data traveling across networks is vulnerable to the packet sniffers hackers use to monitor and log traffic. Any password data the sniffers obtain could potentially allow for unauthorized network access. In some cases, hackers can use additional tools to decipher encrypted passwords, thus undermining the usefulness of encryption as a security tool.

Password Spraying
Instead of trying multiple passwords to access a single account, password spraying attacks involve using common passwords to attempt logins across numerous accounts. It’s a slow, steady attack method, which allows hackers to work around the account lockouts normally triggered after repeated failed logins. Password spraying is becoming more common and is often used to target single sign-on (SSO) accounts, cloud-based applications and email accounts. By targeting these specific areas, hackers can obtain more widespread access to networks and compromise or steal a greater amount of data.

Rainbow Table
Hashing passwords is generally recognized as a reliable security practice, but rainbow table attacks threaten its effectiveness. Using compilations of hash values for known algorithms, hackers are able to systematically work through all possible hashes until the correct one is found. This requires a significant amount of computing power and isn’t guaranteed to succeed in cracking hashed passwords, but its existence should alert businesses to the danger of relying on any single technique for maintaining password security.

Password Management Best Practices

Because businesses can’t predict which attacks hackers may use to obtain credentials, practicing smart password management across the board is the strongest defense against unauthorized network access. Best practices for protecting passwords include:

• Demonstrating and enforcing strong password creation
• Implementing the use of password managers
• Establishing a VPN for remote network access
• Using privileged access management (PAM) software to automate password security
• Educating employees on the characteristics of social engineering schemes
• Switching to an SSO option with multi-factor authentication (MFA)
• Authenticating logins through an app installed on users’ devices

Conclusion

These best practices provide protection against 7 password attack methods listed in this article and equip users to identify potentially malicious attacks and actions. Continual monitoring of network activity and attack trends can reveal emerging threats, guiding businesses toward better access management tools as new technology becomes available.

The risks of password and account sharing can not be overstated when considering various technology platforms used by businesses and the increasing number of dispersed users and data breach cases attributed to poor identity and access management. Most companies have complex digital infrastructures that include desktops, mobile devices, and too many SaaS platforms to count. And they all have one thing in common: they rely on passwords to keep unauthorized users out and company data secure.

The risks of password and account sharing in identity management.

Using stolen and compromised passwords is the number one method hackers use to find their way into protected systems. In 2020, stolen passwords played a role in 81% of data breaches. And to date, over 11 billion accounts have had their passwords compromised in some way – and those are just the ones security researchers know about.

All of this means that finding ways to keep passwords secure should be a top priority for individuals and businesses, alike. But that doesn’t stop users from taking unnecessary risks with their passwords and accounts. And one of the most common risks they take is sharing their accounts and passwords with others. Sometimes it’s for convenience and other times to save money. But it’s always dangerous.

Let’s discuss the risks of password and account sharing, and some account management best practices to follow in situations where it can’t be avoided.

The Risks of Password and Account Sharing

Potential for Account Loss

Any time the password for an account is shared among two or more people, there’s a chance that one of those people will act to take control of that account and lock everyone else out. This occasionally happens when a disgruntled employee leaves a job, or even if they inadvertently allow the password to fall into the wrong hands.

And when the password in question is one that’s being used on multiple platforms at once, the danger increases exponentially. Imagine, for a moment, that a bad actor chooses to use a known password to gain control of a related email account. Using that email address, they could then reset the passwords of any account connected to it. Before you know it, they’ve hijacked an entire online identity.

Increased Vulnerability to Hackers

Passwords are an effective security measure as long as you manage to keep them a secret to keep hackers out who will have to consider other options such as carrying out slow and inefficient dictionary attacks to try and gain access to protected systems. But when you share passwords among multiple people, you’re also creating more vulnerabilities for hackers to exploit.

This is because phishing and other social engineering approaches are the preferred methods hackers use to trick users into revealing their passwords. Therefore, the more people know a password, the more targets they have for those attempts. If anyone slips up, everyone suffers.

Reputational Damage

The whole rationale behind passwords is that they provide a way to keep unauthorized users away from sensitive data and systems. And when hackers gain access to such data and systems, they can do all kinds of harm to the business or individual accounts. All they have to do is to impersonate and trouble begins.

One such case is the mass takeover of well-known users’ Twitter accounts back in 2020. The attackers managed to swindle users out of over $100,000 of Bitcoin by tweeting a scam through the compromised accounts. But in that case, the attack was noteworthy enough that its targets didn’t take a reputational hit from it. But if the same were to happen to a single individual or small business, they might not be so fortunate.

Managing Password and Account Sharing Risks

Even though the above account sharing risks demonstrate why it’s best to avoid the practice, there are some situations where that’s impractical and sometimes impossible. And when that happens, the best you can do is take some extra steps to maintain your account security. The best ways to do that are:

  • Use an encrypted password manager – One of the best ways to secure a shared account is to insist that all users store the password in an encrypted password manager. Then it’s possible to make the password extra complex because the individual users don’t necessarily need to recall it from memory. That helps the password resist dictionary attacks and makes it harder for the involved users to divulge the password in a phishing or social engineering attack. LastPass is an example of a password manager.
  • Use two-factor authentication – When dealing with a shared account, it’s always advisable to enable two-factor authentication (2FA) when it’s available. This reduces the reliance on the password as the only line of defense against intruders. Common shared 2FA options include security questions or single-use codes (sent to a shared email account or a distribution list).
  • Use hardware security keys – Another great option for securing shared accounts is to use hardware security keys instead of simple passwords wherever possible. These simple-to-use and inexpensive devices can protect accounts against almost every conceivable threat – and make worries about passwords a thing of the past.

The Bottom Line

At the end of the day, the best way to manage the risks associated with shared passwords is to avoid sharing them in the first place. But when that’s impossible, there are some simple and effective methods to keep shared accounts secure. By using one (or more) of them, you can greatly reduce the odds of falling victim to a data breach or other password-driven cyberattack.

Identity and access management certifications

A Distributed Information Security Management Model or DISMM is a proposed approach by Identity Management Institute to expand upon Information Security Management System (ISMS).

“Most experts agree that information security is the responsibility of all employees, yet, many organizations follow the traditional security management approach by centralizing most or all security tasks under a single group or person”, according to Henry Bagdasarian.

In a world of distributed systems, dispersed endpoints and workforce, changing technology, and various user needs, the Information Security Management System (ISMS) must be distributed to be effective and efficient. DISTRIBUTED INFORMATION SECURITY MANAGEMENT MODEL (DISMM)

To their credit, most companies force a periodic security awareness training upon their employees to teach them about the security threats, their security responsibilities, and consequences of security incidents to ensure a collective understanding and risk mitigation effort. This is very important because employees who are unaware of the security risks and unintended consequences may place their companies at risk by letting strangers piggy back into the building or office, sending unprotected PII files through unprotected channels, clicking on dangerous links in emails and websites, and providing passwords or other information to imposters just to name a few examples. It is often reported that most data breaches are executed with stolen user credentials and most privileged accounts offer the best bang for the buck which confirms the importance of employee training and testing on a continuous basis.

However, staff training does not address the risk of unethical employees with highly privileged accounts who can cause real damage just before their last day of employment or even afterwards if the off-boarding process is weak leaving some departed employees with remote access to critical systems. Employee training also does not formally assign security ownership in all key areas. One way to address security accountability across the enterprise is by implementing a Distributed Information Security Management Model or DISMM.

Distributed Information Security Management Model (DISMM)

DISMM is designed to distribute information security risk management across the organization and assign specific security tasks and ownership to an Area Security Owner (ASO) across all appropriate business units and departments. In a sense, key individuals across the organization participate in security management and become quasi-security resources.

The benefits of DISMM can not be overstated for security improvement which include:

  • Effective security management process
  • Reduced cost of security management
  • Subject Matter Expert (SME) contribution
  • Formal accountability across the Enterprise
  • Improved collaboration across various business teams
  • Make security an enterprise priority (vs. being just an IT task)

Security Council (SC)

From a governance standpoint, DISMM proposes the establishment of a Security Council (SC) comprised of key executives and persons from across all major entities within the organization to ensure input and collective accountability from all key areas of the organization.

Having the information security group report up to a single person or group such as IT can potentially create a conflict of interest unless the CISO has an open reporting line to the Board, a committee of the Board, or the CEO . Many companies believe that since most data are digital and the IT group is responsible for managing all systems that host that data, it makes sense to have the IT team also secure the data which is true from an operations standpoint. However, IT may not want to be seen as deficient in the security controls of systems which it is responsible for managing, or may not consider security to be a priority and critical part of its operation. This is why CEOs and CIOs are also on the hook as is the CISO when there is a data breach because they failed to address the governance aspect of information security and consolidated data security management under a single operations manager who can hide or ignore security management needs and weaknesses.

The main duties of the SC include:

  • Approve the Information Security (IS) mission, program, and plans
  • Understand the security posture of the organization
  • Support the CISO to improve security by allocating the necessity funds and resources
  • Empower the CISO within the organization as the authority for managing security
  • Reach out to key executives to mitigate high risk security gaps

Chief Information Security Officer (CISO)

DISMM requires the designation of an independent person as Chief Information Security Officer (CISO). The CISO may report to a single person for administrative purposes, however, to avoid even the slightest appearance of a conflict of interest, the CISO must be independent from the business or IT operations and report to the Security Council for all security matters.

Main role and duties of the CISO include:

  • Publish the information security mission, goals, and objectives
  • Establish IS program, plans, policies and standards
  • Report periodically to the SC including plans, gaps, and remediation status
  • Advise and guide Area Security Owners and CISO team members
  • Be the main point contact for all security matters including contract reviews
  • Stay on top of latest security threats and vulnerabilities
  • Notify ASOs and security staff about the latest threats and vulnerabilities to be remediated

The CISO team can be comprised of  a limited number of staff depending on the size of the organization who handle the following tasks:

  • Review documentation and information provided by ASOs
  • Audit key security areas based on risks
  • Contribute to RFP response submissions
  • Respond to client/third party RFIs and audits
  • Perform vendor security audits before onboarding and periodically thereafter
  • Oversee incident management
  • Execute annual access certification across key systems

Area Security Owners (ASO)

An ASO is an employee within a business unit who takes ownership for the security requirements of a particular area. The main duties of an Area Security Owner include:

  • Commit to the information security mission of the organization
  • Understand and perform key tasks assigned by the CISO team
  • Create plans and procedures for ensuring the security of the assigned areas
  • Identify and report challenges, security gaps, and remediation status to the CISO team on a timely basis
  • Certify that security is maintained in the assigned area

This security ownership requires a mindset shift when developing and accepting job requirements. Employees must understand that security is inherently part of everything they do whether they build systems, manage the office front desk, or oversee access management. Therefore, security ownership and accountability must be formally accepted when employees accept a job offer. Unless this shift in mindset happens, we can not ensure data security comprehensively and effectively.

Key Areas for Security Ownership Consideration

An ASO can be assigned by the CISO and/or the head of the designated department. In order to accommodate workload, an ASO may or may not be responsible for the operations of the area but is nevertheless accountable for making sure security is maintained in the assigned area. For areas which may have multiple assigned ASOs such as “application security”, a Lead ASO (LASO) must be assigned to ensure all application security ASOs follow the established protocol to ensure security within each application. The following areas can be assigned to an ASO for security accountability.

  • Server security (privileged accounts, file shares, configuration, patching) (IT)
  • Network and related device security (Wi-Fi/Remote access/VPN/firewall, IPS/IDS, switches/routers) (IT)
  • Security Operations Center (SOC) (security monitoring and incident reporting) (IT)
  • Vulnerability assessment and penetration testing (IT)
  • Security incident management and communication (IT-Public Relations)
  • Data center security (IT)
  • Disaster Recovery Plan (IT)
  • Telecom security (emails, phones, file transfer, video, IM) (IT)
  • Business Continuity Plan (Business)
  • Building/office/desk security (Business)
  • Application security (privileged accounts, access, configuration) (IT or Business)
  • System/program change management  (SDLC framework and compliance) (IT)
  • User onboarding/off-boarding, access provisioning/deprovisioning (HR-IT)
  • End point security (IT)
  • Employee training and awareness (HR)
  • Data security (privacy compliance, encryption) (Legal/Compliance-IT)

The above is just a proposed and initial set of key areas, tasks, and departments. The DISMM proposal may not apply in its entirety to all organizations but can be modified to meet the needs of organizations that are concerned with an effective information security program with the lowest possible cost implications.

Audit and Certification

An ASO must formally certify periodically that the security of the area meets the organizational requirements. An ASO may delegate its security duties, however, remains ultimately responsible for the security of the assigned area.

To ensure compliance with the requirements of DISMM, the CISO team is responsible for performing risk-based audits of key security areas. This task can also be assigned to the service desk which has access, technical knowledge, and independence to validate security.

If budgets allow and contractual requirements dictate, an annual third party audit and ISO 27001 security program certification may be warranted.

Reducing customer onboarding errors during the customer acquisition process can minimize mistakes that can be highly detrimental to your business. Customer onboarding has become even more important as more transactions are initiated and completed online. Avoiding mistakes during the customer onboarding process can help you accept more high-quality customers, and, reject poor quality customers.

Reducing Customer Onboarding Errors

Rejecting High-Quality Customers Is a Major Problem


Poor quality data can lead to quality customer rejections. During the onboarding process, customers must provide specific information to validate their identity. The information that customers provide during the onboarding process is compared with external data for validation. Relying on inaccurate data could lead to decisions made based on false negative data which leads to good customer rejection. So, connecting with high-quality data providers is essential. They’ll make sure that you never miss out on your highest quality customers. Comparing customer information to multiple data sources may prove to be beneficial in the long run.

Up to 52% of customers will stop their onboarding process due to complicated processes. Plus, more customers could be turned away due to data errors. Missing out on high-quality customers is a critical error that companies can not afford to make thus paying top dollar for a good onboarding database ultimately proves to be a good business decision.

Onboarding Poor Quality Customers Can Be Just as Bad


At the same time, onboarding poor-quality customers can be just as bad. These customers take up time, without providing much in return. A lot of customers make it through the onboarding process, despite obvious signs they shouldn’t. Usually, that’s because your company’s onboarding process doesn’t have access to high-quality identity data.

Poor data quality doesn’t just make you miss out on good customers. It can even make you waste resources on bad ones. Analyzing data sources and the results of onboarding decisions over a period of time will help determine the quality of the identity validation data. There is a correlation between quality data and the quality of customer list which can be assessed over time.

Why Having Access to Excellent Data Is Essential


Data has become one of the most valuable resources in the modern economy. Better data leads to better business decisions. Utilizing only the highest-quality data will improve your business performance. However, not everyone understands the importance of this process.

High Accuracy Decision-Making

Businesses must make customer onboarding decisions on a daily basis. The quality of those decisions will impact your bottom line. By making better decisions, you’ll avoid fraud and reduce waste.

Never Miss Quality Customers

Quality customers don’t always make it through the onboarding process all the time because of poor onboarding processes and poor-quality data sources used for decision making. Quality data sources are vital for onboarding.

Never Onboard Bad Customers

Another benefit of quality onboarding data is to reduce the number of poor-quality customers who are accepted based on false positive data. These customers often cost money in the long run which could have been prevented with some upfront investment.

Streamlining the Onboarding Process


When asked, most customers say onboarding length is the most important part of their decision for doing business with a company. If your onboarding process is long and complicated, fewer customers may be willing to complete the process. Most onboarding processes serve 3 important purposes:

Know Your Customer

Especially in finance, KYC compliance is vital. Customers must provide specific information before they can do any business. Otherwise, your company could be at risk of litigation.

Identity Verification

Never let customers complete their onboarding without providing sufficient identity verification. That’s one of the biggest ways to prevent fraud. However, asking them for the same information multiple times isn’t a good idea, either.

Fraud Prevention

If you’ve complied with the previous steps, preventing fraud shouldn’t be too hard. Monitor customer activity and keep an eye out for anything out of the ordinary. If they’ve made it through your onboarding process, they’ll probably be decent customers. So, you won’t have to worry too much about this.

Common Problems with Customer Onboarding


Customers often complain about a few common challenges when it comes to onboarding to join a business:

The Process is Too Long

First and foremost, customers don’t want to spend hours going through the process. The faster it can be done, the more people will complete it. Cut down on unnecessary steps to encourage them to complete everything.

Requesting the Same Information More Than Once

Believe it or not, a lot of companies make the mistake of asking for the same information in different forms which may not even improve the quality of their decisions. There has to be a balance between confidence level of onboarding decisions and the possibility of losing good clients.

Unclear Instructions

Above all, the onboarding process should be easy for people to understand. If people feel like they need an interpreter, something needs to change. Otherwise, people might get frustrated and stop before they finish.

Reducing Customer Onboarding Errors and Mistakes

Connect with high-quality data providers to attract more customers, reject bad customers, and never miss out on quality customers by reducing customer onboarding errors. Mistakes during the onboarding process are easy to make, but they are also easy to fix. Optimizing the process will make it easier to attract quality clients. Not to mention, you’ll minimize the prevalence of any fraud.

Certified Identity and Access Manager (CIAM)

Disgruntled employee security risks are among some of the greatest system access risks that companies face as an unhappy employee with the highest level of credentials and access privileges can cause serious harm before disappearing or even after the employee has left the organization if the company fails to offboard properly.

Disgruntled employee security risks and system access threats.

When an employee loses royalty toward the company because the employee is mistreated, is given the employment termination notice, disagrees with management over something, or just loses some employment benefits like medical insurance, performance bonus, stock options, 401K matching, or decreasing stock price, the employee may become disgruntled toward the company and some of its management members. Many times, employees don’t know how to handle such situations and become irrational resorting to violence in the workplace and the society, family abuse, and sabotage or theft of the company assets to name a few.

A disgruntled employee is very unpredictable in terms of the behavior as each person reacts to life pressures differently. In times of downward economy when people lose their jobs, homes and their savings accounts, they start having issues with their family members, the society, the government, and the company they worked for so many years. Everyone handles such life situations differently. Although some become creative and successful as a result of these pressures, many feel cornered and start behaving carelessly, unpredictably and dangerously toward others.

While certain people accumulate huge wealth and start successful businesses during economic recessions as desperation sometimes brings the best out of some people in the form of new ideas, creativity and increased contribution to the society, others who may not know the techniques to deal with life pressures end up desperately violent toward their families before harming themselves. How many times have we heard of an ex-employee returning to the company to threaten every one he blames for his misfortune? There is no shortage of people harming their entire families, others, and even themselves due to some financial pressures, lost jobs and vanished savings and home values. An employee does not become a threat overnight and there are always disturbing signs that could and should be detected by people close to the person in order to avoid potentially dangerous behavior that could lead to disasters.

You may wonder what a company could do to deal with a disgruntled employee. For one thing, companies should avoid creating disgruntled employees by being sensitive to the employee needs as well as their own business needs. According to Henry Bagdasarian, “companies should have procedures to identify disgruntled employees before it’s too late”. When companies go through huge changes such as massive restructuring of the organization or its benefit plans, especially when the change impacts a huge number of company population, they must consider a disgruntled employee a possible business risk and threat. Such risks must be handled like any other business risks. There are serious situations when a corporate psychologist should be engaged when a potential disgruntled employee is identified. During most layoffs, everyone from Human Resources, Legal department, to operations management is involved in the process, but how much do they know about human psychology and human behavior management during a huge corporate undertaking such as a layoff that impacts hundreds or thousands of employees? An orderly corporate change requires human behavior management to reduce the business risks during the entire process. Such human management requires effective communications as well as pre and post layoff support that also serves the employee interests and not solely the business interests, although managing employee interests ultimately serves business interests by reducing business risks. Companies must also monitor employee activities and pay attention to asset protection safeguards to reduce the risks that could arise from disturbed employees.

As mentioned, one of the biggest risks of a disgruntled employee is sabotage and theft of corporate assets. Many employees have unrestricted access to corporate systems and physical assets. “In my professional experience, I have witnessed unauthorized distribution of payroll files disclosing all salaries to the insiders as well as outsiders, sale of customer and employee personal information, and even piracy of digital assets”, Mr. Bagdasarian observes. Although, some of these illegal actions are greed driven, others have no financial value to the perpetrator other than personal satisfaction and revenge. During times of rapid business changes, companies must be sensitive to the employee situations and properly handle their mental state before it’s too late. Sometimes, when the damage is inflicted, it’s really hard if not impossible to reverse it. For example, when a payroll file is distributed on the Internet, it’s impossible to collect all distributed copies, and sometimes even people die as a result of a disturbed and disgruntled employee’s actions.

In conclusion, many options are available when considering disgruntled employee security risks including but not limited to employee behavior management, increased security of assets, and monitoring of employee activities in and out of the critical systems. Even when there are no major business changes, companies must pay close attention to isolated disputes, complaints and reports of strange behaviors in order to detect and defuse a potential business threat arising from a disgruntled employee.

Identity and Access Management certifications -Identity Management Institute IAM certifications