Ghost users of your computer networks can be dangerous. They can expose your networks to cyber-attacks, caution cybersecurity experts.

Ghost users are those employees or vendors that have stopped working for an organisation but still have access to the networks and applications.

“It is a hidden risk haunting your data. When old accounts retain access to corporate assets, it creates unnecessary risk and increases the likelihood of threat actors accessing your environment,” Varonis, a cybersecurity solutions company, has said.

Releasing the findings of the research study Data Security Posture Management (DSPM), it said that old accounts are easier to compromise because they’re usually unmonitored, providing attackers more opportunities to crack credentials and expanding the blast radius.

The report studied the state of data security within modern organisational environments, based on an analysis of 15 billion files and over one billion folders across 300 organisations globally.

“Ghost users with access to applications and data allow attackers to quietly attempt a brute-force attack without tripping alarms,” it cautions.

Key findings

Almost 50 per cent of files shared with all users contain sensitive information. Threat actors could access sensitive information almost half of the time by compromising one account. About 35 per cent of stale accounts still have active permissions. Nearly one-third of permissions for sensitive data are stale. Some employees have way more access than they need to do their jobs. About 60 per cent of admin accounts, on average, do not have multifactor authentication (MFA) enabled. 

Routine cyber hygiene, such as disabling user accounts immediately after employees and contractors leave the organisation, drastically reduces a company’s cyber risk.

“Organisations need to set up and enforce processes for off-boarding users at your organisation. The growing adoption of SaaS (software-as-a-service) apps and services increases the odds of ghost users. Revoke permissions across your cloud services whenever employees or contractors leave the company,” it advised.

Stale data

The report also cautions against maintaining ‘stale data’. “Individual employees and teams are constantly creating new information and sharing it broadly. Unfortunately, failing to delete and archive data and remove access after a project is complete increases the likelihood of a breach,” it pointed out.

“Even moving stale data to a long-term storage solution rather than deleting it can significantly reduce risk and associated costs. Stale and outdated access weighs down a company’s cybersecurity posture while providing low-effort fodder for threat actors,” the study said.

“In an average organisation, about one-third of permissions for sensitive data is stale,” it warned.

Multi-factor authentication

The report said that simple measures like mandating multi-factor authentication (MFA) can reduce the risks. “Unprotected administrative accounts are susceptible to attacks. Accounts missing basic security controls like MFA are easier to infiltrate. Attackers can breach SaaS apps and steal internally exposed data,” it said.

“MFA adds an extra layer of security to user accounts, making it far more difficult for attackers to gain access, even if they have your password. Without MFA enabled, attackers have a straightforward path to compromise an organisation,” it said.