As another academic year comes to an end, many graduates are preparing themselves for a busy three months ahead as a summer intern. It is
estimated that there are about 100,000 internships in the UK every year, and a significant amount of these are available in the financial services sector. Unpaid internships have particularly been a hot topic for the UK’s political leaders during the recent
election, and businesses are becoming increasingly aware of how important it is for any industry to treat interns responsibly. This includes paying a fair wage and making sure they are doing work that’s meaningful and adds value to the business.
A lot of these changes are also about making internships a formal part an organisation’s talent recruitment process, as it becomes much more professionalised and less about who you know on the inside. Similarly businesses also need to make sure the incoming
wave of summer interns doesn’t leave the firm with an access risk headache.
Ensuring that an intern’s contribution to the company is meaningful requires them to have access to the company database and a certain level of information, and as we all well know –this access needs to be governed and managed accordingly for security reasons.
While there’s nothing inherently risky with employing interns, it is critical that the provisioning and later de-provisioning of ID and access privileges is processed correctly.
So what are the risks?
Well, the main one is how waves upon waves of interns working for a few months or more leave behind a pile of abandoned access accounts that are still live. The risk is even greater when the intern is given privileged access rights to work alongside a senior
manager on a special project. The problem here isn’t the intern themselves, but how too often companies neglect to terminate the accounts used by interns when summer ends.
The interns’ abandoned accounts problem is compounded by how they aren’t revealed during the typical periodic audit that an IT department might conduct. The serious threat from these accounts is that they often remain unnoticed for long periods of time and
can be used by hackers as an easy entry point in a data breach. Of course, some ex-interns may misuse these old access rights for their own personal gains.
Based on evaluations of access risk conducted by Courion at more than twenty major corporations, organisations often have not just a few, but thousands of abandoned accounts. Once you also consider that a recent PwC
report estimates a cyber attack can costs companies an average of £1.46m – adopting a good housekeeping strategy for user accounts may just save your business millions this summer.
Eliminating the abandoned accounts associated with interns makes total sense, but CISOs need efficient and easy ways to prevent the problem happening in the first place and uncover them when they have been allowed to multiply. It is good identity and access
housekeeping that can help here, facilitated by intern on and off-boarding processes that take account of access rights and privileges. Automating these as much as possible will be key to mitigating the human error that can arise, especially when interns are
being managed over the summer months when teams can be more relaxed and less attentive to all the rules!