It might also include a back-up policy for data and a mandatory hard wipe for laptops that are shared within the organization for travel purposes. This precludes data from unintentionally ending up with an unauthorized user.
Youve also educated your organization regarding external threats, whether from dedicated hackers intent on stealing your corporate knowledge, or from random attacks designed to take advantage of weaknesses in your security policy and practices. This education has included good email practices and safe surfing habits.
So far, so good.
Consider the contractor who is on your network to provide some type of service. Perhaps a company is assisting with infrastructure issues like cable-pulling, or an outside accounting firm is helping with a finance upgrade. Youve done the check on the company; theyre reliable, reputable and their employees are competent and courteous. What else do you know about these outside insiders?
This is just one element of what is probably the hardest problem to approach: The people you give trusted access to your network and your assets. Lets look at several different types of personnel that might account for the loss of sensitive information or damage to your network and corporate assets.
Meet the Ex
Newly terminated employees can be cause for worry. They may be leaving of their own accord, or they may have been escorted off the premises for some malfeasance. Either way, it is very important that any doors of access for this individual are closed immediately on departure.
Authentication tokens should obviously be removed. Also, ensure that logins are no longer enabled and that any account access, remote or local, is also closed. Many organizations believe removing remote access is sufficient to protect themselves. In a large organization, however, it is a simple matter to shoulder surf through a secure door, plug into a jack in a conference room, and be on your way. If management hasnt terminated building access and confiscated ID cards, this act of network trespass requires no effort at all.
Meet the New Ex, Same as the Old Ex
This is an individual who is already mentally out the door. This employee comes in two classes: One has already submitted a resignation notice; the other hasn't, only because theyre still looking for a new job.
The newly resigned employee is simple to spot, but its up to the company to decide how they will be handled. Policy should dictate whether the employee remains on the job, or is asked to take the two weeks as a paid vacation, and escorted off the property.
If an employee is authorized to stay during the resignation period, perceived mistreatment by supervisors can lead to a more vindictive attitude by the departing employee. Whether there has been longstanding disagreement, or the supervisor takes the resignation as a personal affront, it may cause the departing employee to have less than charitable thoughts toward the organization.
Management should know the working atmosphere of their direct reports and the next lower level. Such knowledge helps to determine whether personal dynamics risk company assets. An early exit interview will provide insight to the situation. It may need an adjusted working arrangement, or the employee may be willing to sign a waiver for an early departure.
Whatever works best should be used. There is no reason to give the employee the reason and the opportunity to take advantage of continued access.
Almost an Ex
The soon-to-be ex-employee is a much harder dilemma. If we go back to the issue of supervisor-employee compatibility, we can identify some individuals who may be at risk for security violations as they leave the company.
Not all employees who leave due to disagreement are looking to rip off the company. And not all employees who have longstanding disagreements are looking to leave the company.
However, if you have an employee who is clearly disgruntled with every aspect of his or her corporate life, you should be prepared to have a discussion outside the performance evaluation arena to determine what the issues are, and whether they might lead to a security breach. If this conversation is held during the evaluation process, its less likely the employee will be forthcoming about difficulties with co-workers.
As I said earlier, managers at all levels needs to be aware of these interactions to identify potential problem areas. Human resources and policy dictate much of what supervisors and managers can do in this area. You should be familiar with your policy, and use it as a tool in identifying areas that may lead to security incidents.
On Wednesday, September 27, I will be discussing these and other types of personnel who might pose a security threat to your company from the inside. Join me as I explore the qualities that make an internal hacker unique. Well also look at principles you can put into action to minimize your risk in this area.