Guarding Against The 'Inside Job'

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
In your quest to achieve a balance of security in your corporate environment, you have taken the time to establish a hardware security policy, including things such as auto-update for operating systems and applications.

It might also include a back-up policy for data and a mandatory hard wipe for laptops that are shared within the organization for travel purposes. This precludes data from unintentionally ending up with an unauthorized user.

You’ve also educated your organization regarding external threats, whether from dedicated hackers intent on stealing your corporate knowledge, or from random attacks designed to take advantage of weaknesses in your security policy and practices. This education has included good email practices and safe surfing habits.

So far, so good.

There’s one more category of threat we need to consider: the inside job.

Consider the contractor who is on your network to provide some type of service. Perhaps a company is assisting with infrastructure issues like cable-pulling, or an outside accounting firm is helping with a finance upgrade. You’ve done the check on the company; they’re reliable, reputable and their employees are competent and courteous. What else do you know about these outside “insiders”?

This is just one element of what is probably the hardest problem to approach: The people you give trusted access to your network and your assets. Let’s look at several different types of personnel that might account for the loss of sensitive information or damage to your network and corporate assets.

Meet the Ex

Newly terminated employees can be cause for worry. They may be leaving of their own accord, or they may have been escorted off the premises for some malfeasance. Either way, it is very important that any “doors” of access for this individual are closed – immediately – on departure.

Authentication tokens should obviously be removed. Also, ensure that logins are no longer enabled and that any account access, remote or local, is also closed. Many organizations believe removing remote access is sufficient to protect themselves. In a large organization, however, it is a simple matter to “shoulder surf” through a secure door, plug into a jack in a conference room, and be on your way. If management hasn’t terminated building access and confiscated ID cards, this act of network trespass requires no effort at all.

Meet the New Ex, Same as the Old Ex

This is an individual who is already mentally “out the door.” This employee comes in two classes: One has already submitted a resignation notice; the other hasn't, only because they’re still looking for a new job.

The newly resigned employee is simple to spot, but it’s up to the company to decide how they will be handled. Policy should dictate whether the employee remains on the job, or is asked to take the two weeks as a paid vacation, and escorted off the property.

Any policy should be consistently enforced. Yet there will be times when a policy exception might be needed. In these cases, a written waiver from the employee will minimize the risk to the company regarding discrimination, defamation or even wrongful termination. Below we’ll look at what some of those exceptions might be.

If an employee is authorized to stay during the resignation period, perceived mistreatment by supervisors can lead to a more vindictive attitude by the departing employee. Whether there has been longstanding disagreement, or the supervisor takes the resignation as a personal affront, it may cause the departing employee to have less than charitable thoughts toward the organization.

Management should know the working atmosphere of their direct reports and the next lower level. Such knowledge helps to determine whether personal dynamics risk company assets. An early exit interview will provide insight to the situation. It may need an adjusted working arrangement, or the employee may be willing to sign a waiver for an early departure.

Whatever works best should be used. There is no reason to give the employee the reason and the opportunity to take advantage of continued access.

Almost an Ex

The soon-to-be ex-employee is a much harder dilemma. If we go back to the issue of supervisor-employee compatibility, we can identify some individuals who may be at risk for security violations as they leave the company.

Not all employees who leave due to disagreement are looking to rip off the company. And not all employees who have longstanding disagreements are looking to leave the company.

However, if you have an employee who is clearly disgruntled with every aspect of his or her corporate life, you should be prepared to have a discussion outside the “performance evaluation” arena to determine what the issues are, and whether they might lead to a security breach. If this conversation is held during the evaluation process, it’s less likely the employee will be forthcoming about difficulties with co-workers.

As I said earlier, managers at all levels needs to be aware of these interactions to identify potential problem areas. Human resources and policy dictate much of what supervisors and managers can do in this area. You should be familiar with your policy, and use it as a tool in identifying areas that may lead to security incidents.

On Wednesday, September 27, I will be discussing these and other types of personnel who might pose a security threat to your company from the inside. Join me as I explore the qualities that make an internal hacker unique. We’ll also look at principles you can put into action to minimize your risk in this area.

Submit a Comment

Loading Comments...