Dennis Mitchell, aka Dennis the Menace, has been entertaining comic strip fans with his various antics for more than 60Ys. The blond-haired, freckle-faced boy with a sizeable cowlick has a knack for finding trouble, especially when it comes to annoying his cantankerous neighbor Mr. Wilson. Dennis the Menace, whose immense popularity spawned a live-action TV show and two movies over the years, has mellowed somewhat from his initial portrayal as an aggressive trouble-maker. He's still a mischievous 5-year-old, but contrary to what his nickname suggests, he does not intend to cause real harm.
In banking, however, there is nothing comical about the kinds of menace former employees can intentionally or unintentionally inflict on your bank. Accordingly, it's particularly important for community banks to implement strict policies to protect sensitive data when people leave. Even in cases when a separation is amicable, banks must take necessary precautions so that data doesn't inadvertently leave the organization.
To see how big an issue this really is, we discuss Intermedia's 2014 SMB Rogue Access Study that explores the security threat companies face when workers leave. While the findings of this particular study are not specific to banks, they should nonetheless resonate with everyone in our industry.
The study found 89% of those surveyed walked away with their passwords, retaining access to such key systems as Salesforce (with customer lists), PayPal (to do ACH), email (to monitor company comings and goings) and other sensitive corporate apps after they were no longer working at the company. If that's not eye-opening enough, here are some more troubling statistics: 45% retained access to confidential or highly confidential data, 49% logged into ex-employer accounts after leaving the company and 68% admitted to storing work files in personal cloud storage services.
Soon after Intermedia's report came out, the FBI issued a warning that insider threat poses significant risks to business networks and proprietary information. Stolen trade secrets, lost data, regulatory compliance failures, data breaches and deliberate sabotage are a few examples of the malfeasance that companies are battling. Further, the FBI said a review of its recent cyber investigations revealed victim businesses incur significant costs ranging from $5K to $3mm due to cyber incidents involving disgruntled or former employees.
To prevent potential problems, banks must implement rigorous data access guidelines to guard against data leakage. It is important to regularly review employee access points and to terminate any accounts that aren't needed for workers to perform their daily tasks. Banks also need to be vigilant about revoking access to systems once someone is no longer employed. The same also goes for contractors, who may come and go even more often than full-time staffers. Finally, always make sure that outside companies you work with know when employees or contractors leave so they too can terminate access.
In addition to these steps, the FBI also recommends that companies change administrative passwords to servers and networks when IT personnel leave. They also warn banks to avoid using shared usernames and passwords for remote desktop protocols and to avoid using the same login and password for multiple platforms, servers or networks.
As an industry, banks have increasingly sought to raise our defenses against unknown hackers, but we've got more work to do when it comes to safeguarding ourselves from the people we know. Erecting proper fences will help protect our backyards from intentional or unintentional menaces against those who may wreak havoc with our data.