In the midst of the initial chaos at Twitter, there was radio silence from the main @twitter account for several days.
Rumors circulating on personal social media accounts of former Twitter employees speculated that it was not because Twitter did not desperately wish to do damage control, but because the company inadvertently laid off the person who controlled the account, without retrieving the password first. And everyone who knew how to reset the password.
Amid further speculation that staff responsible for cutting access are or were also quitting, Twitter employees who technically resigned on November 17 said that up until days later they could still use internal systems.
Given that many organizations share passwords for critical infrastructure in personal password managers, how many of those passwords are walking out the door, in the hands and heads of disgruntled ex-employees, in these uncertain times?
Ensure You Can Continue to Operate Your Business
Organizations that deploy a zero-knowledge enterprise password vault or manager like Bravura Safe to manage secrets are able to mitigate the risk of rogue passwords, ensuring each secret can be accessed when unforeseen circumstances or emergencies occur. Storing and accessing decentralized secrets and credentials using known and approved policies and procedures with a corporate password manager ensures the secrets are in safe hands while the privacy of others is respected.
Having these steps in place beforehand can ensure your IT team can respond to the unexpected. Nobody at Twitter expected or could have predicted such a security risk just a couple of weeks ago. However, putting a zero-knowledge enterprise password manager in place is actually a rather small cybersecurity endeavor; yet is a major preventative action that can help to ensure your business can continue operating effectively even when the unforeseen hits.
Prevent Employees from Becoming Insider Threats
As Twitter’s troubles continued over the past few days, scattered reports of terminated employees who could still log in and access confidential materials surfaced in discussion forums. This is a time of great stress for Twitter’s leadership, remaining employees, and those hard-working and talented employees who have left the company.
In times of duress, humans can make emotional decisions that increase the probability (and potential impact) of insider threats. Twitter locked the building doors as a security measure, but with a remote workforce is that really sufficient? Management’s hasty actions have potentially turned a massive number of trusted employees into insider threats. Employees who have left could damage systems or take confidential information. Employees who remain could start collecting information or changing passwords under the idea that if they are terminated they can retaliate.
Keep it Simple, Stupid! Applies to Terminations Too
It is critical for organizations to think through how simple and how automated their company user access termination needs to be. What is the minimal set of steps to disable a person’s external and physical access simply, quickly, and securely? Does the company have a Joiner-Mover-Leaver identity process?
If a company has an unforeseen event or planned restructuring, you need to make sure access can be removed in minutes rather than days. As a rule, think about disabling:
- Physical building access
- Federated authentication access to prevent unauthorized access to critical systems
- VPN or zero trust network access to prevent access to the company’s internal network
- Enterprise password manager access to prevent access to passwords for cloud services and other external systems
For most companies, ensuring these three steps are taken covers you in the short term. Your remote workers will not be able to access your environments and they will not have access to your physical systems. Then you can follow up in the following days and weeks to clean up the lingering access that did not need to be revoked urgently. Examples could include software only available on your internal network including file storage systems and databases for example. While it is ideal to have this process automated, in practice most companies take days or weeks to manually clean up the remaining access.
The final step in a leaver scenario is to ensure that designated remaining managers obtain access to passwords previously under the sole control of the leaver(s), in order to maintain uninterrupted access to systems.
Shift your Company’s Password Risk in a Week
Organizations with a good grasp on one of their biggest risks and most fundamental tools and risks - passwords - manage their passwords and other secrets securely, using enterprise password management software like Bravura Safe.
While many organizations have deployed strong internal password management systems and integrated them with simple Single Sign-On (SSO) features, IT teams are confronted with a proliferation of uncontrolled passwords and secrets outside of IT corporate applications, which constitutes another cybersecurity risk.
For both internal and external resources including secure spreadsheets, websites, knowledge bases, productivity tools, and systems, studies have shown that the average employee manages up to 100 passwords. They must also remember information about company credit cards, ssh keys, and certificates.
Due to this gap, staff has been compelled to use unmanaged third-party solutions, or worse, hide passwords and secrets in spreadsheets and chat messages, or reuse the main business passwords to make them easier to remember. For hackers, weak and insecurely stored passwords are a prime target.
It's events like Twitter 2.0 that make us realize that all employees may have even "just a little privilege" in your environment that can have serious operational and security implications. Take a few minutes with your team to critically plan how your company would revoke those employee privileges before you are in a situation where you need to take quick action.
Let Bravura Security show you how you can reduce the risk of passwords walking out your door (or employees becoming insider threats) by managing your company secrets and decentralized passwords with a zero-knowledge approach not tied or known by specific employees.
