Insider Threat Management The Threat Posed by the ex-Insider

May 13, 2021

Although the rate of employee layoffs has slowed since this time last year, the end is not yet in sight. With the ongoing ripple effect of 2020, many organizations are still grappling with the issue of having a significantly higher number of “ex-employees” than ever before. Still more are seeing this change coming in the upcoming months.

When considering layoffs, restructuring, or other changes, most organizations have checklists in place for handling employee departures. Many of these checklist items are security or IT-related such as disabling accounts, removing the user from access groups and decommissioning emails. Pretty straightforward, right? Unfortunately, if it were that straightforward, the news would not be rife with reports of disgruntled former employees managing to sabotage the organization that “unfairly” let them go. In fact, a study done in the UK showed approximately 1/3 of employees were left with access to either systems or data after leaving their job.

At innerActiv we stress:
Don’t stop monitoring for insider threats when an employee is no longer employed!
As a matter of fact, we recommend actively monitoring the employee for a minimum of 3-6 months after their departure to detect any unusual activity that could indicate the user (or a coworker) has managed to access the organization’s systems. In many instances, this also reveals security issues caused by other employees using the now ex-employee’s credentials for quick access.

What discoveries are made by doing so?
– Ex-employees logging in remotely.
– Ex-employees accessing or removing stored data.
– Ex-employee credentials being used for portals or admin access to systems.
– Co-workers using the ex-employee’s username or admin access because the employee had shared it with them in the past.
– Suspicious email or inbox access