Not every cyber threat comes from outside.
Gordy McDonald was careful about how he framed this in Aviemore, because it is a subject that can create the wrong kind of anxiety in a team. The point is not that your people cannot be trusted. The point is that some of your most significant vulnerabilities involve people – former staff, contractors, colleagues who have changed roles – and those vulnerabilities are often invisible until something goes wrong.
This is the insider threat. And in most small businesses, it is entirely unintentional.
WHAT A BUSINESS OWNER EXPERIENCES
Six months after a trusted member of staff left, someone notices unusual access patterns on the system. Or a contractor who worked on a project two years ago still has login credentials that were never revoked. Or a colleague who moved from an admin role to a client-facing one still has access to HR files they no longer need. None of these people meant any harm. But the access exists, and access that exists can be exploited.
WHAT IS REALLY HAPPENING
Gordy described this pattern clearly: in many organisations, different departments work in silos. HR knows when someone leaves. IT knows how to revoke access. But if HR and IT are not talking to each other the moment someone departs or changes role, the access persists. A former employee – even one who left on good terms – with live remote access credentials is a vulnerability. If their personal email is compromised, if they reuse passwords, if they are targeted precisely because they once worked for your organisation, that old access becomes an active threat.
Then there is the deliberate insider threat: a disgruntled departing employee who knows where sensitive data is stored, who knows what financial processes look like, who has access they have not yet been asked to return. Gordy did not overstate this. Most people leave organisations with professionalism and goodwill. But the controls need to be in place regardless of the individual, because the controls are not about distrust – they are about removing the risk before it becomes a problem.
Heather Lowry also highlighted the bring-your-own-device dimension. If staff use personal devices for work – which in most small businesses they do, at least informally – and a member of staff leaves without that remote access being properly closed, the window they have into your systems may be significant and hard to map.
ACTION THIS DAY
1. Run an access audit today. Make a list of everyone who has had access to your systems in the last two years – staff, contractors, freelancers. Then check: is that access still active for anyone who has left or changed role? Any active access that should no longer exist needs to be revoked today, not scheduled for review.
2. Create a departure checklist and use it every time someone leaves, regardless of the circumstances. It should cover: email access revoked, remote login closed, shared passwords changed, any devices returned and wiped, and access to any external platforms or supplier portals removed. If this checklist does not currently exist, create a draft today.
3. Talk to HR and IT in the same conversation. In most small businesses this might be the same person, or it might be a conversation between two people who have never specifically discussed this. Either way, the question is simple: when someone leaves or changes role, who is responsible for making sure their access is updated, and how quickly does it happen?
CONVERSATION TO HAVE WITH YOUR TEAM
Think of the last three people who left your organisation. Ask: is every door closed? Email access gone. Remote login revoked. Shared passwords changed. If you cannot answer yes with certainty for all three, that is this week’s action – not because you suspect anything, but because not knowing is itself the vulnerability. The best time to close these doors is the day someone leaves. The second best time is now.
This is Article 8 of the Cyber Resilience for Business Owners series, based on the Highlands and Moray Chambers Joint Cyber Resilience Event, Aviemore, February 2026. Speakers: Gordy McDonald (Police Scotland), Heather Lowry (Scottish Government).
