We are seeing a disturbing insider threat trend impacting operations and causing reputational harm in the days leading up to an employee’s departure from an organization. For example, last week a Twitter employee deleted President’s Trump’s Twitter account prior to leaving the premises on his last day of employment. In September, a contractor was convicted of cyber sabotage on an Army computer toward the end of his contract, costing U.S. taxpayers millions. These cases highlight the importance of ensuring that the appropriate insider threat risk mitigations are in place to help your organization prevent, detect, and respond to an insider incident leading up to an employee’s departure.
Whether involuntary termination or voluntary resignation, an employee’s pending departure from your organization increases the chance that data leaks or sabotage will occur that could impact operations, lead to the loss of competitive advantage, affect shareholder value, or result in embarrassment and devaluation of image and goodwill.
Here are three ways to prevent insider threat incidents by managing the vulnerabilities associated with an employee’s departure from your organization:
1. Codify and Communicate Clear Data Handling Policies: The goal of clear data handling policies is to mitigate insider incident risk vulnerability by increasing workforce awareness and retention of guidance related to handling of enterprise data throughout the duration of their employment. Policies should cover removal of company intellectual property and data ownership issues throughout the employee’s duration of employment, including the days leading up to their last day with your organization.
- Document and then ensure that clear policies for employee handling of information are communicated to the workforce on a regular basis.
- Provide new employee orientation and refresher training for employees on data handling policies on a regular basis to help increase workforce awareness.
- Post flyers and information with hotlines for employees to report suspicious activity with data.
2. Establish Least Privilege and Separation of Duties: The goal of establishing least privilege and separation of duties is to limit the vulnerability surface area that could be exploited by an employee. The principle of separation of duties divides IT processes and business functions among employees to decrease the possibility that one could exploit a vulnerability and damage the organization.
- Establish and codify data classifications and access permissions based on data sensitivity and the risk associated with its potential loss or exposure and then grant accesses based on this premise.
- Notwithstanding, especially sensitive data protection situations may require the two-man rule or a stand-alone system to best manage insider risk.
- Audit user access permissions against tailored criteria (e.g., when an employee changes roles in the organization), by setting up account management policies and procedures that are reviewed regularly, and by requiring privileged users to have, and use administrative and standard accounts appropriately.
3. Establish Proper Off-boarding Policies and Procedures: The goal of an effective off-boarding process is to protect your organization and spot potential problems with an employee who is scheduled to depart before they cause harm to your organization. Effective communication of off-boarding protocols across your Legal, Human Resources, and Information Technology departments can help minimize the risk of an insider incident, whether intentional or unintentional.
- Decide if, and how, the employee’s access to information and systems will be limited or removed once they resign or are terminated and work closely with your Legal department, or outside legal counsel, to ensure that the protocol is clearly documented.
- Remind the employee that all company information, documents, and electronic equipment must be returned before their last day of work and create a checklist that Human Resources can help them work through before their last day, or during an exit interview.
- If not already in place, consider an information technology audit, or threat detection technology, to review the employee’s most recent network access and email activity to ensure that there are no anomalies in behavior or data transfers. For example, some insider threat detection technologies place a higher risk score on employee’s risk profile prior to their departure from the organization.
Crystal is a former all-source cyber threat and counterintelligence officer at the CIA where she drove analysis on how cyber threats blended with geopolitical events impact the foundation and future of national security. She is now Director, Cyber Risk Analytics at Cognitio applying her expertise with well-resourced, advanced persistent threat actors to improve technical efforts for commercial and federal organizations to mitigate digital risk. Before moving to D.C. from Oklahoma, Crystal studied Finance and International Business at the University of Oklahoma and Computer Science at the University of Tulsa. In her free time, Crystal supports women pursuing STEM degrees, trains in ballet and modern dance, and trains her two German Shepherds in therapy work. Find her on Twitter @crystal4lister
Latest posts by Crystal Lister (see all)