Cyber-security expert Shane Day, chief technology officer at UNIFY Solutions, said companies that fail to immediately disable their former employees’ computer access run the risk of malicious “revenge” attacks on their systems, potentially costing thousands – or millions – of dollars to fix.
“This is a problem common to businesses of all sizes, and even governments,” he said. As Australia prepares for what Microsoft research terms “The Great Resignation” – where millions of people are preparing to quit their jobs in the wake of the global pandemic – the risk of cyber breaches grows.
Other research shows that disgruntled current or former employees who steal intellectual property or commit intentional sabotage are among the costliest threats to organisations. Gartner’s insider threat statistics suggest almost a third of criminal insiders commit theft for financial gain.
“Information security awareness helps with employees trained to recognise risky behaviour, but this relies on the good intentions of employees,” said Mr Day. “Unfortunately, many businesses find out the hard way that not all employees have those good intentions, particularly when they are leaving the company.”
The Australian Cyber Security Centre (ACSC) recommends that to limit the potential damage inflicted by those without good intentions, businesses should ensure they know exactly who can access information and limit access to information on a “need to know” basis. In 2020-21, cyber crime cost small businesses an average of $9,000 and medium businesses more than $33,000, according to the ACSC annual Cyber Threat Report.
“Information security is about ensuring information is both available to those who need it, and not available to those that don’t,” said Mr Day.
“Identity and Access Management systems enable business owners to make decisions about creating digital access accounts, updating them, granting access to systems and – crucially – disabling users’ access.”
He advises businesses of all sizes to work with their HR firms and systems to ensure their cyber-security needs are covered.
“HR systems are very much a ‘source of truth’ for information about who works in an organisation, and it’s essential that a business is able to act quickly to prevent former employees from retaining access to confidential or sensitive information, or doing damage to the business’ systems,” he said.
“Since UNIFY Solutions was founded in 2004 to solve these kinds of problems, we have found there are definite patterns that are repeated in almost every business. These patterns involve making decisions about account creation, changes and disabling based on information that can be read from an HR system.
“What many businesses – especially small to medium sized businesses – don’t realise is that there are solutions available that don’t need to involve all the bells and whistles and associated cost of an enterprise-grade system.
“You can get the same systems as we provide for large government departments and enterprises, configured to be good fit for small and medium businesses.”