Learn From Past Incidents

Insider attacks are common enough that there will be repeat incidents. Take precautions so that the latest incident can’t be repeated again. IT can write an automated script that can monitor and detect if someone else gets recruited to run the scam again. The company can invest in technology to flag users sending source code through email to an external account or copying data onto a USB drive.

Yes, everything is important, but there is one thing that is even more important. That one thing, if stolen and given to a competitor, could be disastrous. Protect that. Examine how people have access to that data and what protections are in place. Organizations need to know what their “Crown Jewels” are and put in controls to block the threat.

Organizations have generally deployed technology to keep people outside the network from coming inside. Instead of getting entirely new systems to look at the people on the inside, think of how existing technology can be used differently. Start examining the traffic going out of the network, as well as what is coming in, to see how information is flowing in and out of the company.

Contractors and third-party service providers are insiders, too. Make sure they can’t take information stored in your systems for one customer and give it another customer. Their access should be limited to a strict need-to-know basis, and there should be regular monitoring to see what information has been accessed.

Employees who are exceptionally angry or with a history of unresolved issues bear extra watching. Several instances of IT sabotage are actually launched after the employee left the company. If an employee is sending threatening letters to management, consider that a sign. If an employee with a background as a system administrator is working as a night guard, find out why.

Warn employees that they may be contacted by outside recruiters to run these scams. If employees are aware their managers know this can happen, that can act as a deterrent from joining in the first place. In a credit card environment, it is possible to see if the same employee is approving a high number of users for credit cards that end up defaulting.

Resignation is a very important time period for employees and employers, especially since that is when a bulk of IT property theft occurs. IP theft generally occurs within 30 days of submitting a resignation, so those employees should be carefully monitored. After an employee gives notice, it is also worth checking what happened 30 days prior, as well. Fraud thieves are typically happy and work effectively because they want the scam to continue.

Auditing employee actions can raise a lot of legal issues. Make sure the company is protected by involving the general counsel and making sure all requirements are met.

Detecting, catching and preventing an insider attack is not just the job of the security or the IT team. Everyone should be involved in the process, whether it’s encouraging employees to notify management if they see a colleague sending files to a personal account, or putting together programs to discuss how to handle situations when a criminal recruiter comes knocking on the door.

Organizations have to get buy-in from top management and work to build an insider threat team immediately. The problem is too common and too devastating to postpone. Create policies approved by general counsel, develop processes and implement controls. Once it is rolled out, consistently enforce policies.