Mitigating Insider Threat when Employees Leave
Insider threat is the threat to an organization’s critical assets posed by trusted individuals , including employees, contractors, and business partners, authorized to use the organization’s information technology systems. Insider threat programs within an organization help to manage the risks due to these threats through specific prevention, detection, and response practices and technologies.
The goal of any insider threat program should be to prevent, detect, and respond to insider threats. Through analysis of insider threat information it has been determined that 70 percent of insiders who stole intellectual property from an employer did so within 60 days of their termination from an organization. Therefore upon termination, whether voluntary or forced, the organization should disable insider’s accesses. During the exit interview, the organization must review existing agreements regarding intellectual property (IP). Suspicious behaviors including uncharacteristically large downloads of intellectual property should be handled either by the human resources or legal departments or a combination of both.
The following is a high-level outline of a pattern for disabling access after an insider leaves an organization for other employment.
• Screen employees
• Agree on IP ownership
• Periodically raise security awareness
• Log employee actions
• Increase monitoring due to an employee’s pending departure
• Reconfirm employee agreements on departure
• Eliminate methods of access after departure
• Monitor activity after departure
Mitigating theft of IP at departure involves ensuring that the organization increases their monitoring of any insider with access to critical assets for specific suspicious behaviors when the insider resigns or is terminated. In addition, the insider must agree to and be reminded that they can’t take organization-owned IP with them.
If you are interested in learning more about defending against insider threats you may read other insider threat blogs at the National Cybersecurity Institute website.
Source: Designing Insider Threat Programs, https://blog.sei.cmu.edu/post.cfm/designing-insider-thread-programs-272