Employee Tenure Doesn’t Insulate Companies from Insider Risks

A recent news article caught my attention that highlights the importance of following Insider Risk Management best practices, with programs that consistently monitor behavior over time. As this news article reminds us, sometimes bad actors can appear to be good actors for a long time before a harmful event actually occurs.

As was reported (opens a new window) by Infosecurity Magazine, a software developer working for a global power management company programmed a “kill switch” code that he called “IsDLEnabledinAD” to check the company’s Active Directory and execute if he’s not listed in there.  When this condition was true, the kill switch was engaged and it crashed servers and deleted the user profiles of other employees, locking them out of the network. According to the report, this developer’s role with the company was reduced in 2018 and he deployed the kill switch in August 2019, which activated automatically when he was terminated from the company in September of that year. The developer was recently convicted and sentenced to prison for his actions.

What is alarming about this situation is that the developer was a long-time employee of the company – he worked with the organization for 12 years before taking these actions. My assumption is that he was a typical employee who presented no potential risk for quite a long time until much later during his tenure with the company, when his role was reduced. An examination of his laptop showed that he had deleted encrypted data that could reveal his actions shortly before he returned it to the company following his termination, and his recent internet search history indicated he had researched several methods to conduct malicious activities.

Regrettably, this situation is proof that long-time employees don’t present less risk to an organization just because they’ve worked there for a long time. Organizations may assume that employees who have completed a background check and gone through the hiring process are now part of a trusted workforce, and that long-tenured employees have established loyalty that insulates the organization from risk, but this thinking is misguided.

The reality is people can change over time. Various environmental factors and personal developments can alter behaviors quickly. This is certainly not to suggest that every employee is an insider threat to an organization. In fact, most risks exhibited by employees are not intentionally malicious with the intent to cause harm but rather acts of unintended negligence that are easily corrected through remediation. The point is, it is much better to monitor for the development of any risky behaviors, whether they are ill-intended or not, to prevent them from becoming threats to the organization.

So, what can companies do to effectively prevent Insider Risk?

  • Have a solidly built Insider Risk program that has full alliance to the business and all leadership stakeholders.
    • Utilize the proper tools to quickly notice changes in employee behaviors. I've spoken to many organizations that have good programs, but don't have the right tools in place. They face a constant struggle for success.
      • Have properly configured User and Entity Behavioral Analytics with Linguistic Analysis features and robust data ingest from an enterprise grade User Activity Monitoring tool. Couple this with purpose-built and secure Case Management, which will really put the Insider Risk Management program on the best footing for success.
        • Implementation of proper oversight of Insider Risk team to “watch the watchers”.

          Everfox Insider Risk Platform

          Fortunately, Everfox’s comprehensive Insider Risk platform, EverShield, provides all of these important tools and features, including:

          • Agent-based monitoring at the endpoint to capture web searches, file activities, keyboard usage, usage of command-line tools, remote desktop or SSH capabilities, and more.
            • Baselining of user activity to detect pattern changes and escalations of risk in a timely manner.
              • Desktop replay of user screens showing video playback of what transpired before, during, and after a policy violation occurred.
                • Linguistic Analysis that analyzes words detected in emails, web searches and more to detect changes in emotions.
                  • Case Management capabilities to triage and work with evidence in a secure environment with full security control of every aspect of a case and its associated case records.
                    • Flexible ingest of any data from any data source, whether structured or unstructured, in order to detect abnormal events that deviate from normal patterns of activity, such as abnormal VPN logons, increased interaction with remote servers and use of certain web search terms.
                      • Response automation to send analytics outputs to other cybersecurity solutions to respond to potential threats with playbooks and other automated responses from a wide variety of tools like EDR, DLP, ICAM, etc.
                        Shibu Thomas

                        Shibu Thomas

                        Field CTO, Insider Risk

                        Shibu Thomas is the field CTO for Insider Risk Solutions at Everfox. Shibu has been in the IT and Cybersecurity industry for over 24 years, working in various roles from IT support to systems administration to professional services to sales engineering and consulting. The past 18 years has seen Shibu focus on Insider Risk, with an emphasis on user and data protection. Shibu has worked closely with both the US Government and International Governments as well as private sector organizations – with a primary focus on designing, implementing and maintaining Insider Risk solutions.
                        In his current role as Field CTO at Everfox, Shibu continues to work with many Government agencies across the globe, as well as private organizations as they look to research and adopt Insider Risk solutions.