Disgruntled Employees and Data: a Bad Combination

The impact of disgruntled individuals is as old as the history of humans. Confucius once said, “When anger rises, think of the consequences.” Although he never saw or imagined a data center, his wisdom should be carefully considered by managers of data centers.

“Data leakage by disgruntled employees is a very real problem,” says Brian Cleary, vice president at Waltham, Mass.-based Aveksa. “Organizations are struggling with the number of them who try to take confidential and highly valuable data for malicious intent or financial gain.”

Consider the following statistics from a survey of IT professionals by Ipswitch, a Lexington, Mass.-based global provider of secure file transfer solutions:

• Forty percent of employees admit to using personal email to go behind the backs of their employers and send sensitive information without being seen.
• More than 25 percent admitted to sending proprietary files to their personal email accounts, with the intent of using that information at their next place of employment.
• Nearly 50 percent of employees send classified information via standard email weekly, thereby putting payroll info, social security numbers, and financial data at risk due to lack of security.
• Forty-one percent of IT executives use personally owned external storage devices to back up work-related files monthly.

The issue is made increasingly complicated by orphaned accounts of those who leave companies that remained open and accessible far too long.

“It’s absolutely critical that employees only have access to what they should have access to and nothing more,” says Cleary. The risks of disgruntled employees leaking information increase when employees gain unnecessary access privileges due to promotions or transfers within an organization.

HR Plays a Big Role

Human Resources departments should be the first line of defense for many companies. HR experts are expected to conduct thorough interviews of all candidates, using their experience to make sure that individuals being considered are honest, have impressive resumes, are there for the right reasons, and have both the right skill set and excellent references.

Next, HR should perform background checks that include credit scores and drug tests, depending on a company’s policy. This process can take from three to six weeks but pays significant dividends in identifying potentially problematic individuals.

It’s also important that HR communicates with IT on issues such as when an employee should be terminated—down to the minute—as well as how denial of access will be implemented and determine what other instructions should be followed.

Appropriate policies and procedures should dictate the termination process to protect the organization, while an IT or operations manager needs to enforce the policies for the data center that include access control verification and no physical access without a designated escort.

One HR professional, who asked to remain anonymous, talked about a specific incident.

“Years ago, we had to let a CIO go. A CIO typically has multiple passwords and very easy access to virtually everything. We had to bring in a network specialist to make sure we had taken away his ability to get in. He was disgruntled—and so were we with him—so we suspected he might do something. We found five different ways he could get into the system. So we did an intrusion test to verify that we’d blocked those five entryways, as well as to discover whether he could find another way to get in. All this was done prior to his termination, with people who worked for him. It had to be kept extremely confidential. I don’t even think we told the people why these tests were being conducted. They thought we were just doing an intrusion test for generic security purposes, but we were really protecting ourselves against this person who had great access to everything in our system.”  IT and HR were very involved in coordinating this ‘underground operation.’”

The consequences we fear from unhappy employees or other internal threats can be avoided, but the price for this is vigilance. The problem itself is complex: It’s more than an IT problem or a data center problem; it is an organizational problem, and one best addressed by close coordination across departments such as HR and IT.

Best Practices

Here’s a list of  best practices for mitigating IP theft, IT sabotage and fraud from CERT, home of the well-known CERT Coordination Center. Based at Carnegie Mellon University’s Software Engineering Institute, the center focuses on identifying and addressing existing and potential threats, notifying system administrators and other technical personnel of these threats, and coordinating with vendors and incident response teams to address them.

•         Consider threats from insiders and business partners in enterprise-wide risk assessments.
•         Clearly document and consistently enforce policies and controls.
•         Incorporate insider threat awareness into periodic security training for all employees.
•         Implement strict password and account management policies and practices.
•         Enforce separation of duties and least privilege.
•        Define explicit security agreements for any cloud services, especially access restrictions and monitoring capabilities.
•         Institute stringent access controls and monitoring policies on privileged users.
•         Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.
•         Monitor and control remote access from all end points, including mobile devices.
•         Develop a comprehensive employee termination procedure.
•         Implement secure backup and recovery processes.
•         Develop a formalized insider threat program.
•         Establish a baseline of normal network device behavior.
•         Be especially vigilant regarding social media.
•         Anticipate and manage negative issues in the work environment.