Vulnerabilities / Threats
03:03 AM

Getting Into The Heads Of Departing Insiders

Strong policies, human decency, and targeted communication can keep the semi-malicious insider from walking out the door with valuable IP

Here's an age-old security riddle: Where and when is theft of intellectual property (IP) not really theft? Answer: In the minds of your employees, when they're headed out the door for the last time.

Survey after survey has shown that departing employees view the raiding of customer lists and IP about as lightly as a toddler with a chair views his swipe at the cookie jar on the kitchen counter. Experts say that the only way to combat the mentality is to understand where it comes from. It is only then that enterprises can use smart people skills, solid policies, and unconventional educational techniques to keep insiders from flying the coop with the golden egg.

60-Day Danger Zone
According to an academic study of insider cases by researchers with CERT, the risk of insider theft of IP is the highest just before the employee resigns or is fired.

"Insiders stealing IP did so within a period of 60 days before termination 70% of the time," wrote CERT engineers in a report published last fall (PDF).

Just last week, Symantec shed some light on the employee mindset as these insiders set their feet out the door. A survey the firm released showed that half of employees who left or were fired from their jobs took corporate data with them, and 62 percent of them didn't think the practice was wrong. This validates a survey from Cyber-Ark last year that showed just less than half of employees IT managers and executives questioned said they would take proprietary data with them if they were fired tomorrow.

The numbers set up an interesting intellectual profile for the typical departing employee. Sure, there are the blatantly malicious insiders who systematically plunder corporate data stores in anticipation of taking that information to competitors -- AMD is accusing a ring of former employees of this kind of act. But that kind of employee is the outlier, says Robert Hamilton, director of product marketing for Symantec.

[How can cloud activity increase insider risks? See Cloud's Privileged Identity Gap Intensifies Insider Threats.]

"There's a substantial number of people that just don't realize that what they're doing is committing theft," he says. "Their employers would consider it theft. And the company that they're going to would also consider what they brought with them to be contraband. So what is it about these individuals that causes them to believe that what they're doing isn't wrong?"

A big part of it, Hamilton surmises, is that the pride in their work leads them to believe that it belongs to them.

"They feel they have some ownership rights because they've invested a lot of their intellectual equity into it," he says. "Nobody is going to argue that you don't have ownership rights to everything that's in your head -- the issue is taking stuff in electronic form, putting it in unauthorized locations, and intending to use it on a job at a new employer."

In addition to that deeply seated belief in ownership rights, rationalization and an apparent lack of consequences can make a dangerous combination in the minds of those who may consider it a gray area of morality that they're willing to overlook.

"Some people might think that it may not be completely appropriate, but they're not seeing their companies or their organizations taking steps to do anything about it," Hamilton says. "There's this sense of, 'I'm going to get away with it because I've never seen anybody get in trouble for taking stuff that they shouldn't.'"

The Human Element Trumps All
Whether it's due to ignorance or fearlessness of reprisal, theft by otherwise honest departing employees has its roots at the human level, says Scott Crawford, research director for Enterprise Management Associates.

"Dealing better with people, recognizing what employees both need and want, and just plain being conscientious and ethical will go a long way toward mitigating these risks," Crawford says.

Employees who feel they've been dealt with fairly are a whole lot less likely to justify their actions in a disgruntled huff. Of course, corporate culture actions are a systemic issue that go far beyond the mien of IT executives. But where IT has the opportunity to make a big difference is through cooperation with the business to develop clear data use policies and constantly communicate them.

"Organizations have a responsibility to clarify their policies on this," Crawford says. "They should also encourage dialogue with their personnel."

Without policies, not only are employees unclear as to their ethical responsibility to leave data behind, but the organization may lack legal recourse when information walks out the door, says Damon Petraglia, director of forensic and information security services for Chartstone.

"Every company needs an acceptable use policy. If the acceptable use policy says you are not allowed to download something, and you signed that, you know you broke the rule," he says. "Then organizations can start to establish some [illegal] intent there."

Using Monitoring To Target Communication
But measures shouldn't stop at an acceptable use policy and one-time signature. The reminders about those policies should be frequent. This starts first with broad-based communication across the board. For example, a system that issues a warning at log-in can act as a constant reminder of policies around data and also a warning of monitoring.

"So when you log onto your network or any resource from the company, a warning will come up that says you're accessing company information systems, including the computer, the network, anything attached to it," says Petraglia who recommends that all of his customers push out such a message. "It shows that the machine is for authorized use only, and if you're not authorized, improper use will result in disciplinary as well as civil and criminal penalty."

But beyond the everyday reminders, organizations should be looking for targeted ways to educate users, says Hamilton, who says that the kind of education he's talking about is not the generic security awareness training we usually associate with security guidance. The kind of education he recommends comes in concert with monitoring user behavior to flag activities such as transferring source code for a valuable product to a USB drive and sending up a message that warns the user of dire consequences.

"Let's use the analogy that you're going down the street, and there's one of those flashing lights telling you that you're exceeding the speed limit," he says. "I would argue that that's education."

This kind of educational warning grows in importance during those final weeks at the job. CERT recommends a heightened level of monitoring and analysis of user behavior during those critical final 60 days should the employer have that kind of warning. And the exit interview could provide an excellent opportunity to give an employee the chance to do the right thing without incurring reprisals, says Hamilton, who believes that simply arming an HR interviewer with a report detailing suspicious activities over the employee's last days can effectively nip bad behavior in the bud.

"No lawsuit has been filed at this point, no money spent on attorneys, but that individual that gets that counseling upon departure will think twice about bringing that confidential data and using it at their new job," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Chuck Georgo
Chuck Georgo,
User Rank: Apprentice
2/21/2013 | 1:23:02 PM
re: Getting Into The Heads Of Departing Insiders
Unfortunately, everyone is still missing what i perceive to be the obvious...NO ONE comes to work for you on day one intending to do you or your agency/company harm. They come there to do great things, to make good money, to work with smart fun people, and to be recognized for contributing to something of redeeming social value (for the most part)...but...something happens...a lousy boss, a bad boardroom decision, they miss getting a promotion, they don't get selected for that new job, or something in their personal life...and when they cry for help (and they always do), and no one listens, they get angry, and when they get angry, some of them (not all of them) now have as an objective to harm you, steal your IP, or even worse, show up the next day with an AR-15...and when they do, we act all surprised and angered. Why is it that nearly 100% of the focus on the insider threat is on the TECHNOLOGY side and not on the LEADERSHIP and MAANGEMENT side? For a fraction of the cost of some of these monitoring and IP management tools, can't we spend more time taking care of people? selecting and training managers to recognize the signs when Johnny or Jane go from loyal employee to insider threat? Check out my 27min presentation on this subject at the ICTTC Summit last September in Dublin... - ignore some of the jokes, you had to be there for both days to get'em...enjoy!...r/Chuck
User Rank: Strategist
2/12/2013 | 11:18:16 PM
re: Getting Into The Heads Of Departing Insiders
The psychology aspect of security is very interesting, and a big part of the user side of things. Bruce Schneier has written on that.

Kelly Jackson Higgins, Senior Editor, Dark Reading
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-02
Unspecified vulnerability in IBM Java 8 before SR1, 7 R1 before SR2 FP11, 7 before SR9, 6 R1 before SR8 FP4, 6 before SR16 FP4, and 5.0 before SR16 FP10 allows remote attackers to gain privileges via unknown vectors related to the Java Virtual Machine.

Published: 2015-07-02
IBM Java 7 R1 before SR3, 7 before SR9, 6 R1 before SR8 FP4, 6 before SR16 FP4, and 5.0 before SR16 FP10 allows remote attackers to bypass "permission checks" and obtain sensitive information via vectors related to the Java Virtual Machine.

Published: 2015-07-02
Unspecified vulnerability in IBM Java 8 before SR1 allows remote attackers to cause a denial of service via unknown vectors related to SSL/TLS and the Secure Socket Extension provider.

Published: 2015-07-02
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

Published: 2015-07-02
fusermount in FUSE before 2.9.3-15 does not properly clear the environment before invoking (1) mount or (2) umount as root, which allows local users to write to arbitrary files via a crafted LIBMOUNT_MTAB environment variable that is used by mount's debugging feature.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report