How to Reduce the Risk of Former Employees Coordinating with Insider Threats

When it comes time for an employee to leave your organization, you want it to be on friendly terms. 

But there are definitely limits to how friendly you want folks to be after they leave. Especially when it comes to accessing materials from their old position for their new endeavors. 

In a recent bizarre case, it was reported that a former acting Department of Homeland Security Inspector General has pleaded guilty to stealing government software and data for use in his own product.

According to reports from the Record, Charles K. Edwards allegedly stole proprietary software and personally identifiable information (PII) belonging to federal employees from both DHS and the U.S. Postal Service where he had previously served in their Office of Inspector General division. He apparently used these ill-gotten resources to sell a similar version of his former office’s case management software to other federal agencies. 

Interestingly, besides the fact that the person who was supposed to be in charge of investigating misdeeds themselves being the thief, was the reports that he had inside help. He is alleged to have worked with a former employee of his who was still at the DHS at the time, who helped him not only steal the software and databases, but set him up at home to work with it as well.

While there are no details in the Department of Justice release explaining how he got caught, it is possible that he might have set off some spidey senses when trying to sell other federal agencies a version of the software. A string of other convictions in his not-so-recent past may have led folks to believe that he may have been up to no good, leading them to alert authorities. 

However, he was found out and his case provides a good reminder of the need to ensure that soon-to-be-ex-employees do not leave with more than they are supposed to. As well as another reminder that those still working at your organization do not aid in leaking valuable information to their former colleagues.

Data loss by former employees is exceedingly common. A report from 2019 showed that 72% openly admitted to taking materials from their previous employers. 

In most cases, these incidents likely included lower-risk data like contacts or other bits that were probably not that harmful to their organization. These folks know that they should not be taking company property with them, but they do not intend to use them for harm or out-of-bounds advantages for their next gig. 

But in other cases where critical data like intellectual property, trade secrets, customer lists, and plenty of other valuable items like source code are taken, catching the perpetrators is essential. 

Here below are a couple of tips to keep in mind when thinking about how to minimize your risk from insider threats.

An employee knows that they are going to quit long before your security team does. This gives them plenty of time to start storing away bits and bytes of information that they may want to take with them on their way out. 

While an employee can become a malicious insider at any time, they are most likely to act in devious ways in the lead up to their departure. This is because they have already made their decision to leave so feelings of loyalty are low and incentives to take something of value is highest. It is at this time that they may decide to start downloading data or moving it out to different cloud services where they have personal accounts that they can later access after they leave.

Organizations should always have monitoring tools that look for and log downloads of data or other large transfers. This should be running regularly in the background, flagging when valuable data is being exported. That is just good security practices.

But you especially need to put focus on those employees who have already given notice. Be sure to keep an extra set of eyes on these individuals’ activity before and after they leave to make sure that there is no untoward activity afoot.   

As we saw in the case with Edwards, he had help from the inside. 

It has become increasingly common for hackers like ransomware crews to reach out to employees to “entice” them into helping with their attacks, so the concept of an insider being used by external baddies is far from something new.

But it is not uncommon for employees to keep in touch with their former colleagues in activities that might otherwise pass as normal. Those former employees may try to leverage their relationships for personal gain. 

Monitoring employee communications, including email, chats, and others can be a good deterrent since it can raise the risks of getting caught. It is key though that you remind people that they are being monitored for both transparency and deterrence reasons. 

We need to consider here that if the bad actors here are smart, then they will avoid using any company resources, like Slack or their email, that can be monitored. That is if they are smart. Many more are not.

It is surprising how often people will use channels that they should otherwise know are monitored for sending messages that they should not be. 

In monitoring the communications technologies that your organization owns, you are potentially making it more difficult for the insider to operate by denying them channels. In addition, you are increasing your probability of catching them in the act.    

Over time, we become creatures of habit. We use the same tools, access the same kinds of folders and files, etc. In short and with some variation, we become fairly predictable within the scope of our work and create a baseline of behavior.

If we deviate from this baseline, it should at the very least raise a red flag or two.

Monitoring employees for taking actions that fall outside the boundaries of their normal activities is generally considered to be best practices. The most common example here is if they are accessing resources that they normally do not, but of course, file transfers and similar out-of-character activities that do not match their user’s standard behavior may also serve to draw attention.

If your organization is practicing good segmentation between resources and responsibilities, then no one person should be able to come away with too big of a data haul based on their own domain. In this case, they will either have to recruit more co-conspirators or step outside of their normal habits to get ahold of larger amounts of data. 

If you are monitoring with User Behavior Analytics (UVA) tools, then we stand a better chance of catching them at this point of departure. 

Working with colleagues over time builds bonds of trust. Or at least it should if your culture was a good one. 

And it makes us want to be helpful to the people that we like and work with. 

The challenge for organizations is to clarify where the lines lie when it comes to helping out former colleagues. 

Give a reference or return a personal item that they left in the office? Sure, help a pal out.

Pass along proprietary information or help them to set up their new business at your organization’s expense? That is a line too far.

This is never a fun conversation but it is a necessary one. The past few years of remote work have meant a lot of career shifts for people leaving jobs, going out on their own, moving to new companies. Building a real esprit de corps within organizations is tough when folks do not show up to the office on a regular basis.

Moreover, we are probably now more entrepreneurial than before. Having experienced how our own job situations are more than a little unstable, we are all on the lookout for opportunities. Even if we are just keeping them in our back pockets. Saying no to helping out a friend who has left the organization and might give you a hand down the line can be hard.

Some folks might edge up to the gray, fuzzy line. Or even cross it. 

Hopefully, well-defined policies and training can clarify what is and is not ok, and when backed up with monitoring, organizations can significantly reduce their risk.