informa
News

Getting Into The Heads Of Departing Insiders

Strong policies, human decency, and targeted communication can keep the semi-malicious insider from walking out the door with valuable IP
Here's an age-old security riddle: Where and when is theft of intellectual property (IP) not really theft? Answer: In the minds of your employees, when they're headed out the door for the last time.

Survey after survey has shown that departing employees view the raiding of customer lists and IP about as lightly as a toddler with a chair views his swipe at the cookie jar on the kitchen counter. Experts say that the only way to combat the mentality is to understand where it comes from. It is only then that enterprises can use smart people skills, solid policies, and unconventional educational techniques to keep insiders from flying the coop with the golden egg.

60-Day Danger Zone
According to an academic study of insider cases by researchers with CERT, the risk of insider theft of IP is the highest just before the employee resigns or is fired.

"Insiders stealing IP did so within a period of 60 days before termination 70% of the time," wrote CERT engineers in a report published last fall (PDF).

Just last week, Symantec shed some light on the employee mindset as these insiders set their feet out the door. A survey the firm released showed that half of employees who left or were fired from their jobs took corporate data with them, and 62 percent of them didn't think the practice was wrong. This validates a survey from Cyber-Ark last year that showed just less than half of employees IT managers and executives questioned said they would take proprietary data with them if they were fired tomorrow.

The numbers set up an interesting intellectual profile for the typical departing employee. Sure, there are the blatantly malicious insiders who systematically plunder corporate data stores in anticipation of taking that information to competitors -- AMD is accusing a ring of former employees of this kind of act. But that kind of employee is the outlier, says Robert Hamilton, director of product marketing for Symantec.

[How can cloud activity increase insider risks? See Cloud's Privileged Identity Gap Intensifies Insider Threats.]

"There's a substantial number of people that just don't realize that what they're doing is committing theft," he says. "Their employers would consider it theft. And the company that they're going to would also consider what they brought with them to be contraband. So what is it about these individuals that causes them to believe that what they're doing isn't wrong?"

A big part of it, Hamilton surmises, is that the pride in their work leads them to believe that it belongs to them.

"They feel they have some ownership rights because they've invested a lot of their intellectual equity into it," he says. "Nobody is going to argue that you don't have ownership rights to everything that's in your head -- the issue is taking stuff in electronic form, putting it in unauthorized locations, and intending to use it on a job at a new employer."

In addition to that deeply seated belief in ownership rights, rationalization and an apparent lack of consequences can make a dangerous combination in the minds of those who may consider it a gray area of morality that they're willing to overlook.

"Some people might think that it may not be completely appropriate, but they're not seeing their companies or their organizations taking steps to do anything about it," Hamilton says. "There's this sense of, 'I'm going to get away with it because I've never seen anybody get in trouble for taking stuff that they shouldn't.'"

The Human Element Trumps All
Whether it's due to ignorance or fearlessness of reprisal, theft by otherwise honest departing employees has its roots at the human level, says Scott Crawford, research director for Enterprise Management Associates.

"Dealing better with people, recognizing what employees both need and want, and just plain being conscientious and ethical will go a long way toward mitigating these risks," Crawford says.

Employees who feel they've been dealt with fairly are a whole lot less likely to justify their actions in a disgruntled huff. Of course, corporate culture actions are a systemic issue that go far beyond the mien of IT executives. But where IT has the opportunity to make a big difference is through cooperation with the business to develop clear data use policies and constantly communicate them.

"Organizations have a responsibility to clarify their policies on this," Crawford says. "They should also encourage dialogue with their personnel."

Without policies, not only are employees unclear as to their ethical responsibility to leave data behind, but the organization may lack legal recourse when information walks out the door, says Damon Petraglia, director of forensic and information security services for Chartstone.

"Every company needs an acceptable use policy. If the acceptable use policy says you are not allowed to download something, and you signed that, you know you broke the rule," he says. "Then organizations can start to establish some [illegal] intent there."

Using Monitoring To Target Communication
But measures shouldn't stop at an acceptable use policy and one-time signature. The reminders about those policies should be frequent. This starts first with broad-based communication across the board. For example, a system that issues a warning at log-in can act as a constant reminder of policies around data and also a warning of monitoring.

"So when you log onto your network or any resource from the company, a warning will come up that says you're accessing company information systems, including the computer, the network, anything attached to it," says Petraglia who recommends that all of his customers push out such a message. "It shows that the machine is for authorized use only, and if you're not authorized, improper use will result in disciplinary as well as civil and criminal penalty."

But beyond the everyday reminders, organizations should be looking for targeted ways to educate users, says Hamilton, who says that the kind of education he's talking about is not the generic security awareness training we usually associate with security guidance. The kind of education he recommends comes in concert with monitoring user behavior to flag activities such as transferring source code for a valuable product to a USB drive and sending up a message that warns the user of dire consequences.

"Let's use the analogy that you're going down the street, and there's one of those flashing lights telling you that you're exceeding the speed limit," he says. "I would argue that that's education."

This kind of educational warning grows in importance during those final weeks at the job. CERT recommends a heightened level of monitoring and analysis of user behavior during those critical final 60 days should the employer have that kind of warning. And the exit interview could provide an excellent opportunity to give an employee the chance to do the right thing without incurring reprisals, says Hamilton, who believes that simply arming an HR interviewer with a report detailing suspicious activities over the employee's last days can effectively nip bad behavior in the bud.

"No lawsuit has been filed at this point, no money spent on attorneys, but that individual that gets that counseling upon departure will think twice about bringing that confidential data and using it at their new job," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: