Disgruntled former employees pose one of the greatest cyber security risks to New Zealand businesses of all sizes.
Companies that fail to immediately disable their former employees’ computer access run the risk of malicious ‘revenge’ attacks on their systems, potentially costing thousands – or millions – of dollars to fix.
Cybersecurity expert Shane Day, chief technology officer at UNIFY Solutions, says any business with computer systems needs to closely monitor and manage who can access them.
“This is a problem common to businesses of all sizes, and even governments,”
And as Australia and New Zealand prepares for what Microsoft research terms “The Great Resignation”
Disgruntled current or former employees who steal intellectual property or commit intentional sabotage are among the costliest threats to organisations. Gartner’s insider threat statistics suggest almost a third of criminal insiders commit theft for financial gain.
“Information security awareness helps with employees trained to recognise risky behaviour, but this relies on the good intentions of employees,” said Mr Day.
“Unfortunately, many businesses find out the hard way that not all employees have those good intentions, particularly when they are leaving the company.”
The National Cyber Security Centre (NCSC) recommends that to limit the potential damage inflicted by those without good intentions, businesses should ensure they know exactly who can access information and limit access to information on a “need to know” basis.
The average cost to businesses who experienced a cyber attack was $159,000, according to the results of the HP New Zealand IT Security Survey of more than 500 small/medium businesses across New Zealand, released last week. The report identified employee carelessness as one of the top three greatest security threats.
“Information security is about ensuring information is both available to those who need it, and not available to those that don’t,” said Mr Day.
“Identity and Access Management systems enable business owners to make decisions about creating digital access accounts, updating them, granting access to systems and – crucially – disabling users’ access.”
“We have found there are definite patterns that are repeated in almost every business. These patterns involve making decisions about account creation, changes and disabling based on information that can be read from an HR system.
“What many businesses – especially small to medium sized businesses – don’t realise is that there are solutions available that don’t need to involve all the bells and whistles and associated cost of an enterprise-grade system.”