Inactive profiles are user profiles that have not been used in the last 30 days or more. They create a security exposure because these accounts are not actively maintained by their users, which make them prime targets for hijacking.
Many of these inactive profiles belong to former employees or contractors—people who might carry a grudge or who might find their former employer’s data useful in their new roles at competitors.
The threat persists even if ex-employees never attempt to utilize these profiles. Other users within the organization might know, for example, that the former IT director’s profile is still on the system. And whether an inactive profile is exploited by a former employee, a malicious insider, or a hacker, unusual use of the profile won’t be detected and reported by the profile owner.
The annual State of IBM i Security Study analyzes how many inactive profiles remain on IBM i systems around the world, and how many of those inactive profiles are still enabled.
Figure 4 shows an average of 402 profiles (32 percent of the total) have not signed on in the past 30 days or more. Of these, 247 of them remain enabled and ready to be used.