NEARLY half of Edinburgh’s council workers fail to hand in their security passes when they leave the authority, an internal audit revealed.
And one in four ex-employees were still able to access council computer systems in what a cyber expert called a “potentially serious” breach.
Now councillors have pledged to get tough with bosses as former staff access remains a problem a year after first being spotted.
“Obviously, it’s not good practice,” said Governance, Risk and Best Value (GRBV) convenor Joanna Mowat.
“It’s something we’ve been speaking to HR about and asking them to improve processes.”
Members of the GRBV committee are monitoring attempts to plug the security breach after it was flagged up in an internal audit last year.
A sample of 45 former staff last August revealed 18 (40 per cent) had passes that had not been deactivated.
And 11 (25 per cent) still had an active IT account three months after leaving – allowing them access to “core systems”.
A report to GRBV this month warned that user accounts for sensitive systems such as finance, social work, payroll and schools were all linked to individuals’ accounts. The report stressed that such access risked a breach of data protection laws and potential fraud.
“It is improving but we’re not there yet. It’s there as a high risk finding because it is a high risk finding,” said Cllr Mowat.
She said matters were further complicated by the council’s disparate workforce of 17,000, with not everyone based in an office. “We are improving and we are getting there but is it taking too long? Absolutely,” she added.
Stirling-based Scottish Business Resilience Centre works with the police and government to tackle cyber crime.
Chief ethical hacker at SBRC, Gerry Grant, said such cases were “reasonably common” but can have serious implications for organisations.
“It’s mostly due to lack of communication between HR and IT departments,” said Mr Grant.
“It’s essential from an internal point of view that when a member of staff leaves to do a cyber hygiene review of staff accounts – both IT and physical passes.”
Mr Grant warned that IT accounts provide virtual access to confidential systems, depending on job roles, just as security passes provide physical access.
“It’s really important to ensure IT are notified when someone hands in their notice but occasionally people forget or do it monthly.
“But if someone is fired for gross misconduct then it needs to be dealt with straight away.”
A council spokeswoman said: “We take the security of our buildings and equipment seriously.
“We have measures in place to ensure that access cards and IT accounts are deactivated after people leave the council and will continue to review and strengthen these processes.”