Insiders are among the greatest security threat to a company’s network and data.
While conversations about threats often focus on accidental insider mistakes, one type of insider is often overlooked —the former insider, including ex-board members.
Too often, IT doesn’t delete former insiders’ network accounts. In the case of board members, IT may not be alerted immediately about who should no longer have this access.
According to a study by IS Decisions, a third of ex-insiders continue to access a company’s network. A quarter of IT personnel do nothing to revoke network access when an insider leaves, the study found. That means the insiders still have their accounts intact, all usernames and passwords remain active, and all authentication for access to databases, sensitive files, and intellectual property is still in effect.
The IS Decisions study focused primarily on ex-employees, the people who had once been regularly on the network and whose termination passed through different enterprise departments. Even when IT does move to deactivate accounts, it can take up to a week or more, leaving plenty of time for disgruntled ex-insiders to do damage.
There is sometimes a tenuous connection between boards of directors and corporate cybersecurity. As Sanford Sherizen wrote for Tech Target, “While infosecurity is crucial to the company’s future, it’s in competition with other critical priorities for the board’s attention — like making the next quarter’s numbers.” The more board members understand about corporate cybersecurity while holding a seat, the more they may be willing to respect that security when they leave.
Of course, how the board member becomes a former board member is important to that member’s loyalty to the organisation. A board member who is limited to a set term or terms, or who requests a leave of absence will likely have a more positive attitude about the company than someone who is forced out against their will.
A disgruntled ex-board member could be as dangerous as a disgruntled ex-employee, and according to FBI reports, Bloomberg reported, disgruntled former insiders have been known to “extort their employer for financial gain by modifying and restricting access to company websites, disabling content management system functions, and conducting distributed denial of service attacks.” They are also responsible for significant financial loss and theft of intellectual property.
Preventing ex-board members from being a security threat begins when they are active board members. First, as an organisation should do with any employee, boards of directors should have only the network access they need. If all of their interactions can take place through a board portal, for instance, that is the only network access they should be granted. Any privileged credentials should be closely monitored by the IT department.
Second, avoid a paper trail. Whenever board files are printed and distributed, the organisation loses control. Those files can be copied and retained by the board member, even if they are meant to be destroyed. A paper trail can lead to leaks and sabotage when in the wrong hands. Instead, organisations should consider keeping as much as possible in digital format, controlled by the organisation itself.
Finally, whenever a board member does leave, all network access should be shut down immediately, including to the board portal.
“Internal attacks are one of the biggest threats facing your data and systems,” Cortney Thompson, CTO of Green House Data, told CIO magazine. Recognising that former board members could be a risk and taking action to prevent them will go a long way to preventing potential security incidents.