Many years ago, when Conan O’Brien was battling NBC over his role in late-night programming, he announced his intentions while waiting for a resolution. “I will continue to put on as good a show each night as I can,” Conan told his audience. “While stealing as many office supplies as humanly possible.”
The line got a good laugh, but it’s no joke to employers who struggle against insiders who are willing to use termination—or just a smaller than expected raise or a lack of promotion—as justification to steal.
Theft of physical assets is a substantial concern when employees leave, but case studies suggest that the theft of business information or purposeful data destruction can be more costly.
In one case, included in a compilation by Carnegie Mellon University of insider threat cases, an e-commerce software developer was angered when his benefits were cut in conjunction with his moving to a different state. His relationship with the company subsequently soured, and it eventually told him that his employment would be terminated in a month’s time.
After a week and a half, the insider logged in remotely from home, deleted the software he was developing as well as other software under development, modified system logs to conceal his actions, and then changed the root password. He then announced his immediate resignation. His actions cost the company over $25,000, 230 staff hours, and associated costs.
Forbes recounted a story from the “Once Upon a Vine” wine shop in Richmond, VA, in which the shop’s email newsletter was altered in order to badmouth the retailer to its customers. The culprit turned out to be an ex-employee who had logged in to the company’s cloud newsletter service.
“Organizations are still finding it difficult to completely disable access for terminated employees,” notes the CERT Division of the Software Engineering Institute at Carnegie Mellon. “Commonly accepted best practices are still not being followed.”
“Some aspects of the termination process are quite obvious, such as disabling the terminated employee’s computer account,” notes CERT—and this is where the wine shop reportedly failed. The retail store had terminated the employee but not her passwords.
Ex-employees—or those about to leave—can cause any number of headaches for a retailer, such as exporting contact lists to a rival, or causing havoc to a shop’s inventory or their payroll service.
The FBI has tried to alert business owners to the threat. “The exploitation of business networks and servers by disgruntled and/or former employees has resulted in several significant FBI investigations in which individuals used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorized goods and services using customer accounts, and gain a competitive edge at a new company,” the agency said in an alert.
Although terminating an employee’s computer account seems like a straightforward best practice, real-world examples show that incomplete account-management procedures make this simple-sounding task difficult. The result is dangerous vulnerability. “Many employees have access to multiple accounts; all account creations should be tracked and periodically reviewed to ensure that all access can be quickly disabled when an employee is terminated,” notes CERT.
Diligently following strict account-management practices is critical for retailers when employees leave, suggest CERT case studies. If a retailer fails on this front, it may be too late to perform an account audit for the terminated employee. A backdoor account could have been created months before, notes CERT.
Retail organizations should develop formal, explicit termination policies and procedures. When not in place, case studies show that the termination process “tends to be ad hoc, posing significant risk that one or more access points will be overlooked.” Furthermore, studies of insider incidents prove that “insiders can be quite resourceful in exploiting obscure access mechanisms neglected in the termination process.” Real-world cases illustrate the importance of terminating access completely for former employees, careful monitoring for post-termination access, and paying particular attention to terminated technical employees.
Part of a termination process must include disabling remote access or virtual private network accounts, as well as firewall access. “Remote access is frequently exploited by former insiders,” notes the CERT study.
When an employee is fired, all relevant employees need to be notified of the worker’s termination, suggest case studies. Multiple insider attacks examined by CERT were facilitated when fired workers gained physical access to their old workplace. “For example, at least one terminated insider lied to the night-shift security guard—who had not been told of the termination—about forgetting his badge.” Access to facilities should be tracked via an automated logging mechanism, the report recommends.
Under favorable termination circumstances, some organizations choose to permit continued access by former employees for some time period. But “it is important that organizations have a formal policy in place for these circumstances and carefully consider the potential consequences,” CERT recommends.
Even with voluntary departures, companies should consider security measures such as monitoring exiting employees’ network usage. According to an LPM/SDR survey, this is a common but not universal precaution taken by retail industry companies. In the study, 58.3 of responding retail companies said that they monitor or review departing employees’ access/use of computer systems to ensure sensitive or confidential data are not downloaded or sent to personal e-mail accounts. This is slightly less than the figure for all employers (67.9 percent).
If an employee is terminated under adverse circumstances, the CERT study recommends that organizations consider reviewing the employee’s desktop computer and system logs to ensure no software or applications have been installed that may permit the employee back into the organization’s systems. “In one case, a terminated employee left software on his desktop that allowed him to access it, control it remotely, and use it to attack.” A few insiders who stole intellectual property immediately before leaving an organization were caught when their desktop computer activity logs were analyzed, according to the study.
Finally, CERT warns all organizations to be cognizant of social relationships that could provide a disgruntled worker an avenue to commit harm. The report cites an example: Almost two months after his termination, an ex-employee got a system administrator account password from a female employee with whom he’d had a relationship.
“Using this password, the insider was able to hide a project folder on the server that was needed the next day for an important customer demonstration.” In this case, even though the company took all recommended security precautions for handling the employee’s termination, the ex-worker still managed to sabotage its computer system.
This post was originally published in 2018 and was updated November 5, 2018.