Cybercrime took center stage in 2017 and 2018 will be no different. From ransomware attacks like Petya and WannaCry to the NSA breach, all signs point back to the root cause of these incidents as the insider threat.
The insider threat became all too real for the chemical company Chemours, when it was found that an insider stole plans for a new sodium cyanide plant valued at around $150 million dollars. Over the course of several years, the employee stole intellectual property and trade secrets from his employer and planned to create a competing factory with the stolen information. Chemours was able to recover its stolen property, but not without elapsed time, investigations, and legal involvement. Could the insider threat have been caught sooner to avoid damages? Many would say yes. Below are ways top HR Managers are protecting their data surrounding the offboarding process in 2018.
Monitoring: Conduct a 90-Day Lookback on Exporting Activity
Departing employees typically don’t exfiltrate data a day, a week, or even a month before leaving the organization. It’s usually around the 90-day period that they begin exporting. HR managers or associated team members should conduct a 90-day look-back as standard offboarding practice, even if alerts have not been triggered, to maintain peace of mind that data has not been inappropriately accessed. HR Managers and top organizations are using FairWarning for Cloud Security to proactively alert on such exporting activity to prevent data loss and inappropriate access prior to employees leaving the organization. Security incidents can be isolated before becoming a breach.
Go Beyond Disabling Accounts
If you’re in a BYOD environment, cell phone access to your environments can create risk. You should go beyond disabling a terminated employee’s account (i.e. Office365) because a disabled account can easily be re-enabled. Once employee access is disabled, go past the 90 days and erase the user account.
If you’re using Active Directory, you should make sure IT personnel put employees in another organizational unit. Even if you’ve disabled the user, or for any reason that account is enabled, you don’t want the user to be able to access these same permissions.
Monitor Login Activity (Past, Present, and Future)
Organizations should monitor for unusual login activity that may be associated with data exfiltration or inappropriate access. Using FairWarning for Cloud Security’s built-in behavioral analytics, employee’s past behavior can be used to alert on unusual activity. Perhaps an employee is logging in at unusual hours, or from a location they’ve never logged in from before; FairWarning will proactively alert you on such behavior. FairWarning customers use this function even outside of the offboarding process. For example, are employees attempting to access your network post offboarding? Former employee accounts should continue to be monitored after the employee has left the organization.
Train and Define a Culture to Create Change
To prevent data loss during an employee’s departure, organizations are using a culture of security and accountability. The idea is movement towards prevention rather than discovering breaches when the damage has already been done.
Below is a FairWarning Enterprise level customer who implemented FairWarning. As you will see, the downward trending graph is a result of the introduction of monitoring technology. Once employees found that they were being monitored and held accountable, the number of security incidents dramatically decreased, creating a well-defined culture of security:
Data Protection in the Year Ahead:
Organizations should continue to reassess what their employees have access to, and where their most sensitive data lies. Applying the “principle of least privilege” will reduce risk when it comes to employee access. Monitoring technology such as FairWarning for Cloud Security will not only help proactively protect your most sensitive data, but will also foster a culture of security and accountability, dramatically reducing risk of departing employees taking data with them before or during the offboarding process.