Today’s headlines are replete with data breaches and cybercrime committed by foreign spies and international crime rings. This threat, while very real, can sometimes obscure another, more insidious threat lurking right outside an IT director’s office: the malicious insider. A “malicious insider” is a current or former employee, contractor, or business partner who has [or had] authorized access to an organization's network who then intentionally misuses that access in ways that damages the employer.
Corporate employers rarely investigate an employee’s activities at the time of departure. Instead, months pass before clues surface that confidential data was misused, at which point important data is often seriously compromised or no longer available.
Even under these circumstances, investigators can take meaningful investigative steps, including an analysis of network security logs, restoring backup tapes, forensic analysis of computers and an analysis of travel, expense reports and cell phone records as well as a review of social media postings.
These corporate investigations would yield more useful evidence, however, if companies planned ahead and investigated a malicious insider’s activities concurrent with their departure from the workplace. To win a theft of trade secrets claim, for example, the victim must prove that the information stolen was treated as a secret and reasonable efforts were made to maintain its secrecy. Meeting this standard compels a timely and thorough approach, key elements of which include the following:
1. Identify and secure “crown jewel data”
If you don’t know where mission-critical data resides, it’s difficult to determine if it’s been stolen. So as first step, organizations should identify its most valuable secrets. This is the information that, if compromised and shared externally, would cause significant economic and reputational harm. This data should be segregated on the corporate network with maximum, access-controlled security.
2. Tag your crown jewel data
Digital marking represents a highly effective means of proving that certain data was both secret and secured. For example, web bugs can be deployed to track confidential email. These are invisible to a user but send tracking data that reveals when the email has been opened by the recipient. As with any complex technology, corporate officials charged with data security should keep abreast of technological advances and assess the relevance for their own environment.
3. Enable logging functions on servers
Network servers provide a wealth of logging information, including IP addresses, time and date stamps of access, failed access attempts, unauthorized changes to user rights, suspicious or unauthorized network traffic patterns and application installations. These log files can be critical in building a case against a malicious insider. For example, access and deletion patterns that are inconsistent with prior use is a huge red flag.
Additionally, security alerts to network administrators concerning the use of wiping software or software downloads can be a highly effective deterrent to theft. Thieves typically download data during multiple user sessions, so it is feasible to discover the theft before any real damage takes place.
4. Review access protocols and secure “administrative rights”
In many organizations, entry level IT staff possess “administrative rights” to entire networks. Because of this broad access and specialized, detailed knowledge of the network, organizations are particularly vulnerable to theft by IT staff. Administrative rights should therefore be granted sparingly and according to need, and no one person should have access to the entire system. Segregation of duties, which mitigates fraud in internal accounting departments, is equally applicable to IT departments.
5. Conduct trade secret training
Employees with access to confidential trade secrets need to be trained to understand the nature of the secrets and their obligations to protect them. Additionally, employees need to be trained not to misappropriate any confidential data from other organizations, which could otherwise expose their employer to liability.
6. Promulgate and enforce terminating employee protocols
Companies must protect their interests when an employee is terminated. This starts with a comprehensive set of data security measures, including removing corporate data on personal devices, reviewing log files to determine the departing employee’s access to documents and devices, and terminating all access to corporate data. These early warning steps can help mitigate damage through detection and preservation of critical evidence which otherwise might be lost or corrupted.
7. Consider data loss protection software
Data loss protection software detects and prevents potential data breaches by blocking access to sensitive data while it is used, stored and moved through the company’s network. This capability is often deployed to protect networks from malicious outsiders such as hackers, but it is not always designed to prevent theft by insiders, many of whom have legitimate access to the data they steal.
8. Limit storage on laptops and local devices
Limiting the storage on laptops and other local devices represents another important preventative measure. This forces users to only keep the data they currently need while ensuring that large datasets will be maintained on more secure network servers instead of vulnerable local devices.
9. Update non-competition agreements
Non-competition laws constantly evolve, so organizations must ensure any such agreements are updated and enforceable. Employment lawyers should routinely agreements accordingly, particularly for key employees or those with access to your most valued secrets.
10. Identify response team before an incident
Identify a multi-disciplinary team with the skills necessary to investigate theft. This team will document the findings, pursue legal and criminal recourse if appropriate, and mitigate any security weaknesses uncovered. This team typically consists of in-house and outside legal counsel, in-house IT, and outside computer forensic and damages experts.
Malicious insiders are a threat that cannot be completely eliminated. But by deploying some basic security protocols early in the process and taking time to trace the threat, you can stop the insider in their tracks.