A key executive leaves a financial services firm, purportedly to work in another industry. Any company would be disappointed to lose a senior executive. However, in this instance, he was followed by a spate of exits from his team.  Thereafter the CEO also found from customers that this Executive had joined a competitor company and competitor was using certain confidential key numbers in their planning reports and presentations to customers.   CEO also found that Executive had taken several hundreds of confidential electronic files with him to the other company.

The CEO was concerned that in spite of hardening of computers and laptops, Executive was still able to remove information from the company. CEO took his IT people to task but information was already lost and damage done. This is a scenario that plays out quite frequently in our workplaces i.e. employees on their way start taking out information even before notice period starts. In fact employees start chalking out information extraction strategies around the time they start looking for other opportunities.  Information thefts due to insiders’ actions are perhaps the biggest causes of information security breaches.  In this particular situation it was later found after a forensic investigation that the key Executive took out information via following means:

1.    Emails to his own personal external accounts
2.    New software was loaded in his laptop by IT in the fortnight before his last date and while installation IT department had to suspend the end point controls on the laptop for a day but Executive kept the laptop during this time. Executive exploited this by downloading information in a USB drive.
3.    He also exploited weakness in his Smartphone mobile where he was able to download email attachments into external cards.
 Investigation revealed that Executive had been preparing for his move for quite some time and intensified during his 3 months notice period.  So what can company do to help identify such a malicious insider and prevent such information theft?

1.    It is very important to do a risk assessment from the perspective of vulnerabilities. Risk managers would do well to think out specific scenarios to challenge the IT department’s controls. 
2.    Look for Red flags 
a.    Employees using personal rapport with IT to seek out vulnerabilities &  loopholes to get around controls. 
b.    Employees who have a grudge against the company or are constantly talking about changing jobs
c.    Increased rule-breaking or misbehavior, 
d.    Physical altercations
e.    Breaking dress code
f.    Suspicious behavior
g.    Signs of extreme stress
3.    Educating employees including IT and IT helpdesk about the human aspects of information securities. 
4.    Annual renewals of non-disclosure agreements and employee education are key to protecting your company from the malicious insider and creating a culture of security
5.    Instituting very specific controls during the notice period so that employee does not get any opportunity to take information out. These controls should kick-in when employee resigns. In fact managers should begin controlling access even if they suspect an employee is looking out. 
6.    Run vulnerability assessments, penetration tests and network scans to identify internal and external weaknesses on a quarterly basis. Security configurations should be compared with the baseline every 15 days. 
7.    Putting content based controls on emails. 
8.    Monitoring
a.    Increased or unusual patterns in network/workplace access
b.    Log reports of attempted unauthorized access
c.    Large data transfers during non business hours
d.    Frequent emails to outsiders with attachments
e.    Excessive file downloads