Vulnerabilities / Threats
5/16/2012
11:50 AM
50%
50%

5 Ways To Lose A Malicious Insider Lawsuit

Making the case against an insider takes preparation and proactive work with HR and legal. Consider this expert advice to make sure you're ready.

When the worst-case scenario strikes and a malicious insider does damage to an organization, be it by theft or sabotage, legal recourse may be in order. But if IT doesn't prepare in advance to cooperate with human resources and legal, the civil or criminal case against a bad former employee may be doomed from the start.

According to security and legal experts, failing to cover your legal bases before presenting your case to judge and jury can effectively give the defendant that proverbial "get-out-of-jail-free card" and leave your organization without much leverage at all.

Here are some of the most common ways that enterprises tend to blow their cases against malicious insiders.

1. Don't Make Employees Sign A Contract or Policy
According to Damon Petraglia of Chartstone, one of the most common civil cases he's brought in to help forensically investigate is when employees steal information from their employers or do something inappropriate with technology. In order to make a case against such an employee, it is important to not only prove they stole or did something wrong, but that they had intent.

"If you want to fire someone or you want to sue someone, you have to prove that they had intent to do something malicious. Just because I installed something on my computer, it doesn't really prove I did something malicious," said Petraglia, director of forensic and information security services for Chartstone. "A lot of times, when I'm looking at something forensically, a company will not have any policy in place that says you cannot do something. That makes it very difficult to prosecute or to fire someone."

This is where signed acceptable use policies and confidentiality agreements are key. While signing such a document might seem like a mere formality when employees or contractors are brought in, their existence can make or break a case when things go wrong.

"If I were advising someone that has confidential information, data, or technology, I'd say the most important thing to do is have agreements with your employees that make it clear that there is confidential information that limit the employees' ability to use that information, and to prevent the employees from taking it or disclosing it to anyone else," said Jim Davis, partner at Dallas, Tex.-based law firm Klemchuck Kubasta.

Read the rest of this article on Dark Reading.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report