As another example of the huge impact that these malicious events can have, the CERT Coordination Center and the US Secret Service published a public report in 2004 titled Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector5. One of the case studies in the report was a case of employee offboarding risk:
“In March 2002, a ‘logic bomb’ deleted 10 billion files in the computer systems of an international financial services organization. The incident affected over 1300 of the organization’s servers throughout the United States. The organization sustained losses of approximately $3 million, the amount required to repair damage and reconstruct deleted files. Investigations by law enforcement professionals and computer forensic professionals revealed the logic bomb had been planted by a disgruntled employee who had recently quit the organization because of a dispute over the amount of his annual bonus.”
A follow-up study by the same organizations in 2005 titled Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors6 noted how common it is for insider threats to come from ex-employees:
The majority of the insiders were former employees.
At the time of the incident, 59% of the insiders were former employees or contractors of the affected organizations and 41% were current employees or contractors.
The former employees or contractors left their positions for a variety of reasons. These included the insiders being fired (48%), resigning (38%), and being laid off (7%).
Key risks to consider
The key risks that need to be mitigated for employee offboarding scenarios are:
Employees' ability to copy sensitive and proprietary information from IT applications and systems to local portable media and then physically remove that information from the premises.
Employees' ability to e-mail documents and information from IT applications to personal e-mail accounts.
Employees' ability to continue to access IT systems after they have left the organization.
Employees' ability to access physical documents after they have left the organization.
Employees' ability to install malware on IT systems they leave behind.
Outcome measurements for risk mitigation
When a former employee uses data assets from a former employer without authorization, the former employer often becomes aware of the data use. For example, suppose an employee steals a marketing e-mail list from the organization and starts using the e-mail list to solicit business for a competitor organization that hired the employee. Often, mailing lists are spiked with beacon addresses that are monitored for unauthorized activity. This can enable the employer to detect that a laid off employee has used the stolen mailing list.
This report can be found at the following Web site: http://www.cert.org/archive/pdf/bankfin040820.pdf This report can be found at the following Web site: http://www.cert.org/archive/pdf/insidercross051105.pdf
Using the IBM Security Blueprint to Address Business Risks for Employee Offboarding