In the world of network security, many people consider the greatest threats to be the shadowy individuals working in secret to take down corporate networks and steal information. We see news stories about nefarious hackers working for foreign governments, hear about groups like Anonymous that launch large-scale attacks on individuals and organizations alike in response to perceived wrongs. As a corporate security professional, it’s easy to believe that the most serious threats are coming from the outside, and that building a stronger perimeter is the only way to keep sensitive data from falling into the wrong hands.
According to a new report from the Department of Homeland Security, though, that perception isn’t entirely accurate. While outside threats are certainly a cause for concern, the growing number of data breaches, network disruptions, and cases of network exploitation attributable to disgruntled ex-IT employees has lead DHS to declare unhappy former employees a risk to national security.
Homeland Security: Disgruntled Employees are a Significant Threat
It’s a familiar scenario: On a Friday afternoon, employees of a struggling business receive word that they’re being laid off. While the news wasn’t entirely unexpected — in fact, rumors have been swirling for weeks — there are a number of employees who feel betrayed and angry about losing their jobs. Or perhaps the employee being shown the door is the only one losing his or her job that day, thanks to a pattern of poor performance. After a final showdown with the bosses, security escorts the employee from the premises.
Regardless of the circumstances, in most cases when someone loses their job unexpectedly, there are hard feelings. The vast majority of people are able to overcome their animosity and find a new job, without resorting to retaliation against their old employer. Some, though, don’t take the news well, and feel the need to get some sort of retribution against their former employer.
These are the people, according to the government, that are the most dangerous. They define a threat as someone who has access to company data or systems, for example, a network administrator who has access to the company encryption keys or the main servers. Some of the cases the feds investigated included such acts as:
- Transferring data, including customer information, trade secrets, and sensitive operational data, via mail, cloud-based storage services (like Dropbox) or other means. The feds suggest that such data could then be illegally sold to other companies — or even foreign states.
- Making unauthorized purchases on the company — or customer — dime.
- Accessing corporate networks after termination via unauthorized installation of remote desktop software.
- Using or selling proprietary software after termination.
- Using the possession of corporate data as a means to blackmail a former employer into meeting demands.
- Disrupting or destroying the corporate network.
The government estimates that the average costs of such incidents can range from a few thousand dollars to more than $3 million, which includes everything from the time spent by IT to investigate and close the breach to fines and legal fees to the cost of credit monitoring for customers affected by the incident.
Preventing Former Employees from Wreaking Havoc
While much of the advice for preventing disgruntled ex-employees from becoming a security risk focuses on what to do after the person has been let go — for example, companies are advised to change passwords, terminate accounts, and scrub machines to identify and remove any remote access software — completely protecting against these threats requires taking the right steps from the moment that someone has been hired.
Many security experts recommend establishing an environment of “zero trust” when it comes to network security. While it might sound overzealous, or even unfair, to distrust your employees, you can never be too careful when to protecting data.
What does a zero trust environment look like? In general, it includes (among other things):
- Restricted administrator privileges. Only those who absolutely must have access to the entire network do, and a series of checks and balances are in place to ensure those privileges are used appropriately.
- Comprehensive background checks on employees who have access to sensitive data.
- Prohibitions and restrictions on potentially dangerous activities. For example, prohibiting the use of sites like Dropbox or the sending of proprietary information via unsecured mail.
- Constant network monitoring and investigation of anomalies.
- Strict software management protocols and license management.
When expectations for security are established early on, and security tactics are focused on mitigating internal threats, an organization has a better chance of avoiding falling victim to an unhappy ex-employee. That doesn’t mean that you should ignore external threats, but don’t assume everything on the inside is safe, either.