Ninety percent of organizations feel vulnerable to insider threats. That alarming statistic was recently published in the annual Insider Threat Report released by Crowd Research Partners. The survey respondents are almost equally worried about malicious insiders (47%) as they are accidental insiders (51%). What is one of the main enabling risk factors? Too many users with excessive access privileges. When those access privileges are in the hands of a malicious insider the risks are significant. A disgruntled employee, or a non-deprovisioned ex-employee that feels wronged by their employer, possess two key components needed to cause damage: access and motivation.
Consider this example: Andrew Skelton, a senior IT auditor employed by Morrisons Supermarket PLC, deliberately leaked the payroll information of approximately 100,000 current and former Morrisons employees to a file sharing website and to three English newspapers. What was his motivation? Mr. Skelton held a grudge against Morrisons due to an earlier internal disciplinary matter. As a result of the data breach, over 5,000 current and former Morrisons employees filed a class action suit against Morrisons for damages incurred. In December 2017, England’s High Court of Justice Queens Bench Division ruled that Morrisons is vicariously liable for the actions of the disgruntled employee, Mr. Skelton. Clearly, privileged access in the hands of a disgruntled employee can produce extensive and far-reaching damage.
A survey conducted by OneLogin produced another alarming statistic; fifty percent of ex-employees retain access to corporate applications after their employment has ended. When you consider that most disgruntled employees will end up leaving, either voluntarily or not, failure to deprovision means access and motivation are in place to initiate a devastating attack. Even if the employment is ended on friendly terms, the ex-employee could be recruited by malicious actors offering financial incentives for their access. The risk is very real. Twenty percent of the companies represented in the OneLogin survey experienced a data breach due to failure to deprovision an employee. Consider this example: Brian P. Johnson, IT specialist and systems administrator, for Georgia-Pacific had his employment terminated on February 14, 2014 and was escorted off the premises. However, his access to corporate applications remained in place. He used his access to transmit harmful code and commands; in some instances, bringing Georgia-Pacific’s Port Hudson’s mill production to a standstill. FBI agents assigned to investigate the case concluded that Mr. Johnson intentionally sabotaged his former employer as payback.
As these data breaches show, failure to deprovision an ex-employee and failure to recognize and monitor a disgruntled employee led to significant losses to both company reputation and revenue.
Recognize and Respond
All employees require knowledge or access to empower them to do their work. However, it’s noteworthy that ‘too many users with excessive access privileges’ was identified as an enabling risk factor. Clearly, policies that limit access should be in place and implemented to minimize insider threat risk, whether malicious or accidental. Employee education combined with guidelines and policies for recognizing and monitoring a rogue/disgruntled employee are necessary for security threat management. When the employment termination process begins clear procedures to promptly remove access to corporate applications are vital. This article by the CERT Division of the Software Engineering Institute (SEI) provides a list of 19 best practices that can help mitigate the risk of IP theft, IT sabotage, and fraud that may exist due to a disgruntled or ex-employee. It’s true that you can never reduce your risk of an insider threat to zero. However, by recognizing and responding to the risk through preparation and education it can be minimized.
“By failing to prepare, you are preparing to fail.” – Benjamin Franklin