Stop Insider Threats From Former Employees

When it comes time for an employee to leave your organization, you want them to be on good terms.

But there are definitely limits to how nice you want people to be after they’re gone. Especially when it comes to accessing documents from their old position for their new projects.

In a recent bizarre case, it was reported that a former acting inspector general for the Department of Homeland Security pleaded guilty to stealing government software and data for use in his own product.

According to reports from The Record, Charles K. Edwards stole proprietary software and personally identifiable information (PII) belonging to federal employees of DHS and the US Postal Service where he previously worked in their division of the Office of Inspector General. . He apparently used these ill-gotten resources to sell a similar version of his old office’s case management software to other federal agencies.

Interestingly, besides the fact that the person who was supposed to be investigating the wrongdoing being the thief himself, it was the reports that he had inside help. He allegedly worked with a former employee of his who was still at DHS at the time, who helped him not only steal the software and databases, but also installed it in his home to work with.

While there are no details in the Justice Department release explaining how he got caught, it’s possible he triggered some prickly senses trying to sell other federal agencies a version. software. A string of other convictions in his not-so-recent past may have led people to believe he may have done no good, leading them to alert the authorities.

Employees who keep more than good memories

Regardless of how he was discovered, his case is a good reminder of the need to ensure that future ex-employees don’t walk away with more than they should and that those who are still working in your organization don’t help. not to divulge valuable information to their former colleagues.

Data loss by former employees is extremely common. A 2019 report showed that 72% openly admitted to taking material from their former employers.

In most cases, these incidents likely included low-risk data like contacts or other items that were probably not that harmful to their organization. These folks know they shouldn’t take company property with them, but they have no intention of using it for harmful or off-limits purposes for their next gig.

But in other cases where critical data such as intellectual property, trade secrets, customer lists and many other valuable items such as source code are taken, it is essential to catch the perpetrators.

3 tips and tools to mitigate the risk of insider threats

Below are some tips to keep in mind when thinking about how to minimize your risk of insider threats.

Monitor data downloads or transfers

An employee knows they are going to quit long before your security team. This gives them plenty of time to start storing bits and bytes of information that they might want to take with them when they leave.

Although an employee can become a malicious insider at any time, they are more likely to act underhanded before they leave. This is because they have already made up their mind to leave, so feelings of loyalty are low and incentives to take something of value are highest. This is when they can decide whether to start downloading data or moving it to different cloud services where they have personal accounts that they can access later after they leave.

Organizations should always have monitoring tools that track and log data downloads or other large transfers. This should run regularly in the background, signaling when valuable data is exported. These are just good security practices.

But you should mainly focus on employees who have already given their notice. Be sure to keep an eye on these people’s activity before and after they leave to make sure there’s no unwanted activity going on.

Monitor employee communications

As we saw in Edwards’ case, he had help from within.

It’s become increasingly common for hackers like ransomware teams to contact employees to “coax” them into helping them with their attacks, so the concept of an insider used by external bad guys is far from over. be something new.

But it’s not uncommon for employees to keep in touch with their former colleagues in activities that might otherwise go on as normal. These former employees may try to leverage their relationships for personal gain.

Monitoring employee communications, including emails, chats, and the like, can be a good deterrent as it can increase the chances of getting caught. It is essential, however, that you remind people that they are being watched for both transparency and deterrence.

We have to consider here that if the bad actors here are smart, they will avoid using company resources, like Slack or their email, which can be monitored. That’s if they’re smart. Many others are not.

It’s surprising how often people will use channels they should otherwise know are being monitored to send messages they shouldn’t be.

By monitoring the communication technologies held by your organization, you potentially make it more difficult for the insider to operate by denying them channels. Plus, you increase your chances of catching them in the act.

Monitor behavior for anomalies

Over time, we become creatures of habit. We use the same tools, access the same types of folders and files, etc. In short and with some variations, we become quite predictable in our work and create a basis for behavior.

If we stray from that baseline, it should at least raise a red flag or two.

Monitoring employees to take actions outside the scope of their normal activities is generally considered a best practice. The most common example here is if they are accessing resources they normally don’t have access to, but of course file transfers and similar activities that fall outside of their user’s standard behavior can also attract attention. ‘Warning.

If your organization practices good segmentation between resources and responsibilities, no one should be able to walk away with too much data based on their own domain. In this case, they will either have to recruit more accomplices or break out of their usual habits to obtain larger amounts of data.

If you monitor with user behavior analysis (UVA) tools, we have a better chance of catching them at this starting point.

What is a little data sharing between old friends?

Working with colleagues over time builds bonds of trust. Or at least if your culture was good.

And it makes us want to be useful to the people we love and work with.

The challenge for organizations is to clarify where the boundaries are when it comes to helping former colleagues.

Give a reference or return a personal item they left at the office? Of course, help a friend.

Transmit exclusive information or help them create their new business at the expense of your organization? It’s a line too far.

It’s never a fun conversation, but it’s necessary. The past few years of remote work have brought many career changes for people leaving jobs, going on their own, leaving for new ventures. Building true esprit de corps within organizations is difficult when people don’t show up to the office regularly.

Moreover, we are probably more enterprising than before. Having experienced how our own professional situations are more than a little unstable, we are all on the lookout for opportunities. Even though we just keep them in our back pockets. Saying no to helping a friend who has left the organization and who could help you out can be difficult.

Some people might reach for the gray, fuzzy line. Or even cross it.

Hopefully, well-defined policies and training can clarify what is acceptable and what is not, and when backed up by oversight, organizations can significantly reduce their risk.

This article was originally published in Hackernoon and reproduced with permission.


Defend against insider threats with Teramind

Comments are closed.