3 Ways to Mitigate Insider Threat Risk Prior to an Employee’s Departure

We are seeing a disturbing insider threat trend impacting operations and causing reputational harm in the days leading up to an employee’s departure from an organization. For example, last week a Twitter employee deleted President’s Trump’s Twitter account prior to leaving the premises on his last day of employment. In September, a contractor was convicted of cyber sabotage on an Army computer toward the end of his contract, costing U.S. taxpayers millions. These cases highlight the importance of ensuring that the appropriate insider threat risk mitigations are in place to help your organization prevent, detect, and respond to an insider incident.

Whether termination or resignation, an employee’s pending departure from your organization increases the chance that data leaks or sabotage will occur that could impact operations, lead to the loss of competitive advantage, affect shareholder value, or result in embarrassment and devaluation of image and brand.

Here are three ways to prevent insider threat incidents by managing the vulnerabilities associated with an employee’s departure from your organization:

1. Codify and Communicate Clear Data Handling Policies: The goal of clear data handling policies is to mitigate insider incident risk vulnerability by increasing workforce awareness and retention of guidance related to handling of enterprise data throughout the duration of their employment. Policies should cover removal of company intellectual property and data ownership issues throughout the employee’s duration of employment, including the days leading up to their last day with your organization.

  • Document and then ensure that clear policies for employee handling of information are communicated to the workforce on a regular basis.
  • Provide new employee orientation and refresher training for employees on data handling policies on a regular basis to help increase workforce awareness.
  • Post flyers and information with hotlines for employees to report suspicious activity with data.

2. Establish Least Privilege and Separation of Duties: The goal of establishing least privilege and separation of duties is to limit the vulnerability surface area that could be exploited by an employee. The principle of separation of duties divides IT processes and business functions among employees to decrease the possibility that one could exploit a vulnerability and damage the organization.

  • Establish and codify data classifications and access permissions based on data sensitivity and the risk associated with its potential loss or exposure and then grant accesses based on this premise.
  • Notwithstanding, especially sensitive data protection situations may require the two-man rule or a stand-alone system to best manage insider risk.
  • Audit user access permissions against tailored criteria (e.g., when an employee changes roles in the organization), by setting up account management policies and procedures that are reviewed regularly, and by requiring privileged users to have, and use administrative and standard accounts appropriately.

3. Establish Proper Off-boarding Policies and Procedures: The goal of an effective off-boarding process is to protect your organization and spot potential problems with an employee who is scheduled to depart before they cause harm to your organization. Effective communication of off-boarding protocols across your Legal, Human Resources, and Information Technology departments can help minimize the risk of an insider incident, whether intentional or unintentional.

  • Decide if, and how, the employee’s access to information and systems will be limited or removed once they resign or are terminated. Work closely with your Legal department, or outside legal counsel, to ensure that the protocol is clearly documented.
  • Remind the employee that all company information, documents, and electronic equipment must be returned before their last day of work and create a checklist that Human Resources can help them work through before their last day, or during an exit interview.
  • If not already in place, consider an information technology audit, or threat detection technology, to review the employee’s most recent network access and email activity to ensure that there are no anomalies in behavior or data transfers. For example, some insider threat detection technologies place a higher risk score on an employee’s risk profile prior to their departure from the organization.

Cognitio helps organizations across multiple industries mitigate risks from trusted insiders. For more information see: Cognitio's Insider360.

Crystal Lister

Director at Cognitio
Promoting positive efforts to mitigate insider risk.

Crystal applies her unique background as a former counterintelligence and cyber threats officer in the US Intelligence Community to help organizations identify and prioritize strategic insider and digital risk mitigations. During her Intelligence Community career, she supervised digital media exploitation and analytic production supporting US foreign policy, national security, and sensitive operations. She also led a counterintelligence analysis and targeting team mitigating insider threat risk to high-priority operations that became an enterprise role model for early warning counterintelligence threat detection. While in the government, she served as a cyber threats, counterintelligence, and military analyst producing analysis for and briefing the White House and senior policy makers. Prior to her government service, she worked at the Boeing Company as a financial analyst. She is a CERT Insider Threat Vulnerability Assessor.Before moving to D.C. from Oklahoma, Crystal studied Finance and International Business at the University of Oklahoma and Computer Science at the University of Tulsa. In her free time, Crystal supports women pursuing STEM degrees, trains in modern dance, and spends time with her German Shepherds. Find her on Twitter @crystal4lister

Leave a Reply