The current cyber threat landscape places business at a constant state of alarm. Businesses find themselves in a non-stop battle against viruses, Trojans, and hackers, some of which aim at stealing valuable intellectual property, while others just wreak havoc for the IT personnel and interrupt operations. However, not all threats are external to an organization. Some of the most damaging threats are those internal to a company, their own employees. Negligent employee disclosure of company proprietary information can have the most detrimental impact on the business. Whether an employee discloses valuable client information by accident, are working on company data at home from unprotected personal equipment, or purposefully attempting to steal customer data for their own gain or to damage relationships, the internal threat can severely impact business operations and negatively affect an organization’s bottom line. Just as protection from external threats take preparation, policy, and a proactive approach, so does combating the intentional and unintentional internal threat.
Alȳn recommends any company who maintains a sales force or is reliant on intellectual property for its business success consider some of the following Best Business Practices:
- Protection of information
- Data, such as customer databases, service product price listings, proprietary processes, and any other valuable intellectual property should be under role-based access controls where only those employees who need access to the particular data are granted access.
- All data at rest, that which is sitting idle (i.e. portable drives or laptops containing the data), should be encrypted in the event the device holding the data is lost or stolen.
- Adopt Policy regarding unauthorized use of personally owned storage devices (thumb drives and other portable hard drives), cloud based storage (DropBox or Google Drive) from company computers, and the use of personal email from the company computer.
- Deploy technical controls that disable USB ports except to devices utilized/acquired by the business.
- Proper Off-Boarding
- Employee should be required to sign a non-disclosure agreement at the beginning and ending of employment.
- All company-owned equipment should be collected prior to the end of the employee’s last day of employment. In circumstances where an employee has access to highly valuable information, immediate release from employment and suspension of access to company computers and accounts may be appropriate.
- All user accounts should be disabled either on the last day of employment, or prior to notifying the employee of termination of employment.
- Computers used by employees suspected of any wrongdoing should be powered off, and secured in a location where it will not be tampered with. This ensures integrity of the data in the event that an investigation should be requested.
Part of protecting the exfiltration of valuable information is knowing where the data resides, who has access to it, and detecting suspicious activity. Employing a Data Loss Prevention (DLP) commercial solution will allow a company to identify information, which it considers valuable, tag it, and alert any time the data is sent out of the network or written to an external device. Additionally, some of the following activities can be used to identify potentially suspicious activity which may warrant additional investigation:
- Employees logging in and accessing company data at times outside of their normal work schedule (i.e. late at night and on weekends).
- Employees connecting personally owned devices to the company computers.
- Employees accessing data that is not needed for their position or responsibility.
- Employees showing sudden disgruntled attitude in the workplace aimed at the company.
- Rumors of an employee leaving to go work for a competitor.
- Excessive email being sent to public or web based e-mail addresses.
Should any suspicious activity be detected, and the company decides that an investigation is warranted, an internal policy should be followed which contains a clear plan of action. Most companies do not have IT staff with the knowledge, skills, and tools necessary to conduct a proper investigation. An IT administrator with the best of intentions can cause significant modification of data on the suspect computer to the extent that valid evidence can be lost during routine administrative activity and “looking around” the suspect user’s files for anything suspicious. Under these circumstances, the best course of action is to power down the computer and take no further action on the computer until it has been reviewed and analyzed by a digital forensic analyst. Nearly every action a user takes on a computer, leaves a digital footprint which can be analyzed to determine what the user was doing, what was accessed and what data may have been stolen or disclosed. The identification and analysis of many of these digital artifacts requires the use of a trained and experienced digital forensic analyst.
A digital forensic analyst, such as those employed by Alȳn, Inc., utilize industry leading hardware, software and techniques to ensure a forensically sound and thorough investigation of the digital artifacts. Alȳn can support companies in every stage of an investigation beginning with acquisition of the evidence, analysis of the data, reporting, through to testifying in court to their findings.
In addition to a full digital forensic investigation, Alȳn can assist businesses with the analysis and development of internal policy and procedures for employee off-boarding, segregation of suspect systems from the network, and best business practices to help mitigate instances of internal threat. Alȳn’s services also include data destruction of digital media which is to be disposed or donated at end of lifecycle. A simple reformat of a hard dive can leave company data available to anyone who acquires the drive after disposal. Alȳn’s process results in full destruction of data so no private or sensitive data is left after the process, eliminating any embarrassing and potentially damaging disclosure of company or information.