The economics of not revoking user accounts
29 August, 2014
category: Corporate, Digital ID
Dean Wiech, managing director, Tools4ever
We are all aware of the potential security risks organizations face when they don’t properly disable or delete user accounts when users leave an organization. If former users still have access to customer data and sensitive internal systems, there’s the potential for them to wreak havoc on the systems.
Most organizations take immediate steps to prevent this type of action when an employee is terminated or leaves of their own volition, but some do not. However, even if security is not an issue or if there’s no concern, there’s one very important thing that is often overlooked: Costs associated with not disabling user accounts, licensed applications and cloud-based solutions.
Take, for instance, Office 365, the increasingly popular solution from Microsoft for hosted email and the Office productivity suite. Costs typically range from $4 to $20 per user per month for business clients. Another example is SalesForce.com, another popular Web-based customer relationship management application, which ranges from $65 to $250 per user per month. Still other applications, such as Sales Genie or Hoovers, have costs associated with downloading a record or email address.
Next, if we take a look at a company with 1,000 employees and assume an annual turnover rate of 10%, 100 employees leave on an annual basis. If that company has one cloud-based application averaging $30 per month and it takes three months to process all of the terminated employees out of all systems, the cost to the company is $9,000. Obviously, the more subscription-based applications, the longer it can take to deactivate accounts. The more employees and the higher the turnover rate, the greater the potential costs to the subscribing company.
Now, if the application in question has a cost associated with downloading records, the costs to an organization can be tremendous. A recent conversation with a sales manager brought this point into focus. He said that a recently terminated sales rep did not have his access to a lead generation database revoked for nearly six months following termination.
In that time, the one former employee was able to download nearly 15,000 records at a total cost of $7,500 to the company. In a large organization with a high sales turnover, this cost can be astronomical.
Another area where licensing costs can come into play is with network-based applications that are licensed on a per user account basis. Very often, applications like Visio, Photoshop and others are licensed for a large number of users and access rights to these applications are based on group memberships in Active Directory. In a similar vein to cloud-based solutions, if a user is not removed from a group that enables access to one of these applications, it is feasible that the company could run out of licenses and need to purchase more.
This also is true when a current employee is transferred to a new role. As an example, a graphics designer accessing Photoshop on a daily basis is transferred to a managerial role. When the transfer occurs, the rights to the application remain intact because of a lack of communication between the human resources department and the IT group. The manager no longer needs access to Photoshop, but when a new designer is hired, a new license must be purchased.
In each of the above cases, proper controls via an automated identity management solution can revoke access rights for all employees within an organization, freeing up licenses and minimizing additional and unnecessary expenses. Many solutions are commercially available to automate the lifecycle of user accounts by linking a human resource application to Active Directory, as well as handling the proper creation and deletion of accounts in network and cloud-based applications.
In addition to the inherent security value of proper user account management, accurate licensing of applications can provide for a very quick return on investment.