When George, a senior salesman, started his current position 10 years ago, he brought hundreds of business cards and notes that he added to his employee’s customer management software. When he decided to leave, he thought he could take the current database with him. Not true.
“While George may believe that he has a legitimate claim to the customer information because he brought in hundreds of new names and personally worked cultivating those and other relationships for a decade, all the information in the CRM belongs to the employer,” David A. Smith, a CISSP, wrote in a recent whitepaper, How UEBA mitigates IP Theft By Departing Employees. “George’s transfer of his current employer’s valuable and confidential digital assets is theft.”
While this particular incident is hypothetical, similar situations – whether inadvertent as George’s situation was – or deliberate – happen far too often. For example, a recent security survey showed that 87 percent of departing employees take data they worked on, including confidential customer information, price lists, marketing plans, sales data, competitive intelligence, etc., and 28 percent take data created by others. The loss of this intellectual property (IP) can be devastating.
So, what steps can you take now to prevent this type of theft when employees decide they’re ready to move
Establish – and Enforce – Corporate Policies: While some employees who share proprietary data with outside sources or take it with them to their next place of business might do so maliciously, others might simply be unaware that it doesn’t belong to them. Having a strong, plainly written Confidentiality and Intellectual Property Agreement in place can help to alleviate the gray areas that exist when employees involved in the creation of IP perceive they have an ownership stake in it; reviewing that Agreement with an employee when they are departing acts as something of a deterrent against IP leaving with them. (See the white paper, 3 Steps to Protect Your Data During The High Risk Exit Period.
Ensure that the confidentiality and IP agreements outline what data employees can take with them when they leave and what needs to stay behind, as well as any consequences for its removal. And ensure that the document is written in terms that people who do not work with legal contracts as part of their everyday role will readily understand.
Monitor Behavior: While it’s possible for humans to get an idea of when changes in an employee’s behavior might indicate an increasing probability of IP theft, it would be “impractical, if not outright impossible, for an organization’s cyber security staff to observe and monitor each employee,” Smith wrote. Instead, companies should implement technology such as user and entity behavior analytics (UEBA) – with advanced machine learning algorithms – to help define what is normal behavior for each user so any anomalies will be easier to detect and investigate. UEBA compares each user’s real-time activities against their recorded behavior baseline and alerts the designated response team (likely cyber security) so it can investigate more closely. When coupled with user activity monitoring (UAM) software, security can see if the employee is emailing or otherwise transferring data he doesn’t normally transfer, is downloading lists onto external devices or is logged into the IT server at 2 a.m.
To help with this process, the insider risk team should quantify employee risks, giving employees a score of 1 to 10. For example, some employees may have a low score, meaning they do not need to be monitored as closely because they do not have access to as much proprietary information, and higher level executives (even security itself) a high score, meaning they should be monitored more closely. When employees tell their managers or HR that they’re planning to leave, the risk score should be set to 10, triggering a review of 30 days worth of online and communications activity. The 30 days leading up to notice of resignation is the ‘high risk exit period’ during which IP is most at risk.
Limit Data Access: Only give employees access to data they need to do their jobs. This will keep them from accessing other corporate information, and according to Smith, “in most cases it will also prohibit the installation of any hardware or software that can be used for the exfiltration of data (i.e. being able to create CDs or DVDs, or to copy data to a thumb drive).” To prevent users from transferring data they shouldn’t be, the organization should also consider configuring firewalls that block malicious websites or those which can be used to transfer data, and encrypting all data at all stages of storage and transport – and require user authentication to utilize encrypted data.
Fortunately, having strict policies in place, and communicating these policies (and any consequences for breaking them) will deter many departing employees from taking data that doesn’t belong to them. However, being able to analyze employee actions and behavior, detect whether any anomalous behavior poses an actual threat, prioritize which behaviors might be most damaging to a company, and then respond appropriately, could be even more critical to preventing valuable IP from leaving when your employees do.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.