How to Stop Insider Threats from Departing Employees

David Green is chief security officer of Veriato, a company that focuses on user activity monitoring and user behavior analytics.

When any employee announces plans to permanently leave their post, federal agencies and contractors need to immediately act to prevent any classified data from going with them. Whether they’re disgruntled from a poor review, need to move on when President-elect Donald Trump takes office in January or simply received a better offer, the possibility they might take sensitive information with them that they shouldn’t isn’t so far fetched.

Remember National Security Agency contractor Edward Snowden, who electronically shared classified documents with our country’s enemies while claiming to be a whistle-blower trying to protect the nation? Or more recently, Harold T. Martin III, another former NSA contractor accused in October of stealing 50 terabytes of classified data over 20 years?

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

According to the IBM 2016 Cyber Security Intelligence Index, insiders carried out 60 percent of all attacks in 2015, with nearly 75 percent having malicious intent and knowingly stealing valuable information from their organization. Even worse, Insider Threat Spotlight Report found as of this summer, 58 percent of organizations still lack the appropriate controls to prevent insider attacks.

If you don’t have an insider threat prevention program in place already, follow these immediate steps going forward:

Start monitoring employees today: If you aren’t using software to monitor and analyze employee behavior (i.e. user behavior analytics), install it now before it’s too late. While it would have been helpful to have it in use already, begin tracking any activity now, especially involving any means by which to copy, move or transfer agency data and all methods of communications.

Establish an insider risk team and meet ASAP: Immediately schedule an insider risk meeting with representatives from executive management, HR, info security and legal to own the process. To properly use the UBA software, this team needs to work together to assign risk levels to each agency position (on a scale of 1-10) based on their access to classified information. Admins may have a low score, and privileged users a high score. (This quantifying risk worksheet will help). Quickly define normal behavior baselines for each user, and then, when the UBA software sends alerts showing the user’s score change by a certain number of points, it’s time to investigate more closely.

This team should also establish (or review) an acceptable use policy and confidentiality and intellectual property agreements that outline what data employees can take with them when they leave and what needs to stay behind, as well as any consequences for its removal. Having them review and sign this form should detract most employees from removing data that doesn’t belong to them.

Communicate, communicate, communicate: Schedule meetings with each departing employee to review or sign the policies discussed above, and let them know—or remind them—their behavior is being monitored until their last day. Also, let all employees know how to report concerning or disruptive behavior by coworkers.

Now what? While the above steps should be implemented immediately, other exit steps should be put into place over the next few months, and beyond. For example, human resources needs to alert IT as soon as the employee has officially terminated employment so IT can remove access to all data, applications, systems and networks. This should include login credentials, cloud services and virtual private network access. Passwords for shared or service accounts should be changed.

While any insider risk is difficult to determine, being able to specifically monitor (or increase the monitoring of) any departing employees should help reduce the chance.