When it’s time for an employee to leave your organization, you want them to maintain a friendly relationship.
But obviously there is a limit to how kind people want to be after they leave. Especially if you are accessing material from an old location to try something new.
In a recent bizarre incident, it was reported that a former acting Department of Homeland Security inspectorate admitted to stealing government software and data for use in his products.
The records report that Charles K. Edwards stole proprietary software and personally identifiable information (PII) owned by federal employees of DHS and the US Postal Service. He appears to have used these undue resources to sell similar versions of his former office’s case management software to other federal agencies.
Interestingly, there were reports of inside help besides the fact that it was the thief who was supposed to investigate his misdeeds. He is known to have worked with a former employee at DHS at the time, who not only stole software and databases, but also helped them work together from home.
Details of how he was caught aren’t in the Justice Department release, but it may have sparked some sensation when he tried to sell versions of the software to other federal agencies. A series of convictions other than his recent past may have sent a warning to authorities, leading people to believe he may have been of no avail.
Staff bringing more than good memories
However, his case soon reminds us of the need to ensure that ex-employees don’t leave with more than they expected. You leak valuable information to your ex-colleagues.
Data loss of former employees is very common. According to the 2019 report 72% public recognition You are taking materials from your previous employer.
In most cases, these incidents may have included low-risk data such as contacts or other bits that are not very harmful to the organization. These people know they shouldn’t take company property, but they have no intention of using it for any harm or out-of-scope advantage for their next gig.
However, in other cases where sensitive data has been taken, such as intellectual property, trade secrets, customer lists, and other sensitive items such as source code, it is essential to catch the perpetrators.
3 Tips and Tools to Mitigate Your Inside Threat Risk
Here are some tips to keep in mind as you think about how to minimize your risk from insider threats.
Monitoring data download or transmission
Employees know they will leave long before the security team leaves. This gives them enough time to start storing bits and bytes of information they may want to take with them when they leave.
Employees can become malicious insiders at any time, but they are most likely to engage in deceptive behavior ahead of their resignation. This is because they are less loyal and have the highest incentive to take on something of value because they have already decided to leave. At this point, you may decide to start downloading your data or move to another cloud service with a personal account.
Organizations should always have monitoring tools to find and log data downloads or other large-scale transfers. This should be run regularly in the background, flagging it when it exports sensitive data. It’s just good security practice.
However, particular attention should be paid to employees who have already given notice. Keep an eye on these individuals before and after leaving them to make sure there are no unnecessary activities.
Employee Communication Monitoring
As we saw in the case of Edwards, he was helped from within.
The notion that insiders are used by outside villains is far from new, as it has become increasingly common for hackers like ransomware teams to “lure” their employees into contacting them and helping them with their attacks.
However, it is not uncommon for employees to maintain contact with former co-workers in activities they may pass by as usual. Ex-employees may try to exploit the relationship for personal gain.
Monitoring employee communications, including email, chat, etc., can be a good deterrent as it can increase your risk of being caught. It is important to remind people that they are being monitored for transparency and deterrence purposes.
It is important to consider here that if the bad actors were smart, they would not be using company resources that could be monitored, such as Slack or email. That is if they are smart. More often than not, it isn’t.
It’s amazing to see how often people are using a channel you should know and being monitored for sending messages you shouldn’t know.
When it comes to monitoring communication technology owned by an organization, it is potentially making it more difficult for insiders to operate by denying channels. We are also increasing the chances of getting caught in the act.
Behavior monitoring for anomalies
Over time, we become animals of habits. We use the same tools and access the same kinds of folders and files, etc. In a nutshell, with a few variations we become fairly predictable within the scope of our work and create a baseline of behavior.
If we deviate from this baseline, we should raise the red flag at least once or twice.
It is generally considered best practice to monitor employees for actions that are outside the normal scope of their activities. The most common example here is accessing a resource that is not normally accessed, but file transfers and similar non-character activities that do not match the user’s standard behavior can also serve to draw attention.
If your organization has a good separation of resources and responsibilities, no one should be able to take too much data based on their domain. In this case, you will have to break away from your usual habits to recruit more conspirators or get a larger amount of data.
If you are monitoring using a User Behavior Analysis (UVA) tool, you are more likely to catch it at this point.
What is small data sharing between old friends?
Working with colleagues over time creates bonds of trust. Or at least if your culture was a good one.
And it makes us want to help the people we love and work with.
The organization’s challenge is to clarify where the boundaries are when helping former colleagues.
Would you like to provide a reference or return any personal items left in the office? Sure. Help your friend.
Do you pass on proprietary information or help start a new business at your organization’s expense? It’s too far a line.
This is by no means a fun conversation, but a necessary conversation. Teleworking over the past few years has meant a lot of career shifts for people who quit their jobs, work alone, and move to new companies. If people don’t show up to the office on a regular basis, it’s hard to build true mentality within your organization.
Besides, we are probably more entrepreneurial than before. We’ve all experienced more than a little precariousness in our own job situations, we’re all looking for opportunities. Even if we keep them in our back pockets. Refusing to help a friend who has left the organization and might reach out to you can be difficult.
Some people can even go as far as gray hazy lines. Or cross it.
We hope that well-defined policies and training can help clarify what is appropriate and what is not. When supported by monitoring, organizations can significantly reduce risk.
This article was originally hacker’s eye Reprinted with permission.