National Insider Threat Awareness Month, celebrated every September, aims to emphasise the importance of detecting, deterring, and reporting insider threats. As the month draws to a close, Tim Bandos, Vice President of Cyber Security at Digital Guardian, explains what organisations can do to mitigate the insider threat of departing employees.
Every year, the comprehensive Verizon Data Breach Investigations Report (DBIR) provides a deep dive into the latest trends in cybersecurity incidents. The 2019 report found that insider threat incidents have been on the rise again for the last four years and worryingly, are now responsible for 34 percent of all data breaches.
Insider threats can range from absent-minded employees to disgruntled third parties, meaning organisations have to be extremely vigilant for any signs of wrongdoing. However, perhaps the most potent threat comes from one particular subset – departing employees.
This article looks at some of the most common security concerns surrounding departing employees including the risks they pose, the motivations behind their behaviour and importantly, what organisations can do to mitigate the threat.
The danger of departing employees
Departing employees have always posed big problems for organisations of all sizes and for good reason. Not only do they have the necessary access and knowledge of where sensitive data resides, but in many cases, they also have a motive.
Of course, not all motives are malicious in nature. In some instances, it may just be a desire to take copies of their work with them for posterity or future reference, but in other cases it could be to give/sell to a competitor or leak to the media. Whatever the motive may be, any form of data loss at the hands of a departing employee can be extremely damaging, both financially and from a reputational perspective (or both).
Unfortunately, due to the unknown variables involved, organisations are at a major disadvantage when going up against this type of threat, which is why it’s so important to monitor for telltale activity and behaviour that might give a potential insider threat away before it’s too late.
Effectively mitigating the threat
The best approaches combine the right technology with a robust process. First and foremost, visibility is needed on endpoints, as well as wherever data is leaving or transferring across the company. At a minimum, businesses should be able to track all types of file movement and data egress, and at least provide an audit trail of what each employee has been up to prior to departure. That way, an employee’s behaviour between the time they hand in their notice and their departure can be closely monitored and even presented to them at their exit interview for explanation/clarification if necessary.
There are several signs to look for that can give away a departing employee as an insider threat. One of the most common ones is spikes in data movement volume, i.e. large data egress to USB type devices or cloud storage sites like Dropbox or Google Drive. Other key solutions include:
- Utilising a data loss prevention solution
If a business has a data loss prevention (DLP) solution in place, it’s possible to tag files by level of sensitivity, making it easier to identify how confidential the data being taken is. For example, if confidential files are being attached to emails and sent to a personal domain like a Gmail or Hotmail against company policy, DLP would flag this. A security analyst can then investigate the incident to establish the intent of the individual sending the file and how sensitive its content was.
2. Leveraging machine learning
More recently, security vendors have started to leverage machine learning in their solutions to take the strain off analysts, who historically have had to manually investigate every alert created. Machine learning has another trick up its sleeve as well – the ability to create baseline behaviour for an individual or a computer over time. Once created, anything outside of an employee or computer’s ‘normal’ activity will be automatically flagged for further analysis, making it much faster for security teams to weed out suspicious behaviour.
3. Recognising who or what is accessing information
It’s also important to remember that size isn’t everything and large amounts of data egress aren’t always cause for alarm. Often, it can simply be the result of corporate data backups taking place. On the flip side, many sensitive trade secrets can be stolen in just a single file, which is why it’s so important to know exactly who or what is accessing this kind of information and ensuring the right level of protection is in place around it.
Fortunately, the tactics used by departing employees haven’t changed dramatically in the last 15+ years. While there might occasionally be a rogue employee with the technical know-how to hide stolen data in an image file and leverage steganography to sneak it out, such cases are extremely few and far between. As such, with the right safeguards and mechanisms in place to monitor for telltale behaviour and challenge employees where necessary, businesses of all shapes and sizes can make great strides towards minimising or even eliminating the threat posed by this group.
