UNIFY Solutions finds disgruntled former employees pose one of the greatest cybersecurity risks to New Zealand businesses of all sizes.

The company, a provider of identity, access, security and governance solutions, says companies that fail to immediately disable their former employees' computer access run the risk of malicious 'revenge' attacks on their systems, potentially costing thousands, or millions, of dollars to fix.

Shane Day, chief technology officer at UNIFY Solutions, says any business with computer systems needs to monitor and manage who can access them closely.

"This is a problem common to businesses of all sizes and even governments," says Day.

"As New Zealand prepares for what Microsoft research terms "The Great Resignation", where millions of people globally are preparing to quit their jobs in the wake of the pandemic, the risk of cyber breaches grows."

UNIFY Solutions says research shows disgruntled current or former employees who steal intellectual property or commit intentional sabotage are among the costliest threats to organisations. According to Gartner's insider threat statistics, almost one-third of criminal insiders commit theft for financial gain.

"Information security awareness helps with employees trained to recognise risky behaviour, but this relies on employees' good intentions," says Day.

"Unfortunately, many businesses find out the hard way that not all employees have those good intentions, particularly when they are leaving the company."

The National Cyber Security Centre (NCSC) recommends limiting the potential damage inflicted by those without good intentions. It says businesses should ensure they know exactly who can access information and restrict access to information on a need to know basis.

According to the results of the HP New Zealand IT Security Survey of more than 500 small and medium businesses across New Zealand, released last week, the average cost to businesses who experienced a cyberattack was $159,000. The report identified employee carelessness as one of the top three most significant security threats.

"Information security is about ensuring information is both available to those who need it and not available to those that don't," says Day.

"Identity and access management systems enable business owners to make decisions about creating digital access accounts, updating them, granting access to systems and - crucially - disabling users' access."

He advises businesses of all sizes to work with their HR firms and systems to cover their cybersecurity needs.

"HR systems are very much a 'source of truth' for information about who works in an organisation," he says. "It's essential that a business can act quickly to prevent former employees from retaining access to confidential or sensitive information or doing damage to the business' systems.

"Since UNIFY Solutions was founded in 2004 to solve these kinds of problems, we have found there are repeated patterns in almost every business. These patterns involve making decisions about account creation, changes and disabling based on information that can be read from an HR system.

"What many businesses, especially small to medium-sized businesses, don't realise, is that there are solutions available that don't need to involve all the bells and whistles and associated cost of an enterprise-grade system," he adds.