Recently, we spoke with Angie Garman, the internal audit manager for First Florida Credit Union (FFCU). As part of her effort to centralize identity and access management (IAM), she’s been taking a closer look at the risk that ex-employees pose to credit unions. Ray Murphy, former CISO of Navy Federal Credit Union and information security expert, joined us.


The following blog is one of our key takeaways from our discussion. You can also read our blog about centralizing identity access management here, or watch a full video of the conversation here.

The Risk of Credit Union Insider Threats

Financial institutions are prime targets for fraud. Few public information security (infosec) incidents in the last decade illustrate this fact better than the constant high-profile attacks on some of the industry’s largest players.

For example, the Equifax breach occurred because someone forgot to update a software patch for two months. That kind of danger is enough to warrant a full review of any credit union’s patch policy. But it gets worse…

The breach that Capital One suffered could have been prevented by better insider threat security. A single employee at Amazon was able to bring the giant to its knees. This event was nearly the textbook definition of an insider threat, and it’s the subject of this blog.

How to Handle Ex-Employees

There are a few standard practices that every credit union should practice when an employee leaves or is terminated. These practices are in place to protect critical member and institutional information:

  1. Keep track of what every employee has access to. Some employees—especially those who are with a credit union for a long time—seem to gain access to just about everything within the organization.

This can be okay when it’s appropriate, but to be frank, it’s almost never appropriate. Checking to see whether people have access to things they don’t need access to is an important part of keeping all systems safe.

  1. Create a process for terminated employees. When an employee leaves the institution, make sure they lose their data access. They should no longer have user or administrator privileges.

Too often, this access is maintained for weeks or even months. When PII and financial information are at stake, restricting this access is critically important.

The old saying goes, “you can’t manage what you can’t measure.” The same is true for account and information access management. You must keep track of who you give access to, when you give access to them, and when their access privileges change.

If you don’t keep track of those things, you won’t be able to manage account access privileges, changes, or anything else that affects account security.

Free Webinar

Learn a structured process to manage the findings process. Resolve audit findings — on time and as expected. Escape from the pain of managing via spreadsheet and cut your administrative time in half.
Sign Up Now >

Further Reading

Want to learn more about credit union audits policies, processes, and management? Subscribe to our blog!

Or, if you work at a credit union and want a checklist for your next audit or exam, download our Credit Union Audit Checklist to help you along

Redboard is an easy credit union audit management platform. It streamlines offsite and onsite strategies alike. Plus, its powerful automation capabilities and intuitive UX simplify tedious planning, tracking, and follow-up tasks. Our customers have reported audit and exam time savings of anywhere from 15–50%. Request a demo now!