How to avoid being stung by disgruntled (ex) employees after a redundancy

By Ron Condon, UK Bureau Chief 12 Dec 2008 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

According to a recent survey of workers in London, New York and Amsterdam, many employees will have already stolen valuable information from their employer in anticipation of losing their jobs, while others will find ways to access old accounts after their employment has finished.

The survey of 600 workers, done by security company Cyber-Ark Software Ltd., revealed that more than half had already downloaded competitive corporate data which they planned to use as a negotiating tool to secure their next post. At the top of the list of desirable information was customer and contact databases.

The findings serve as a reminder that the biggest security threats come from inside the organisation, especially when staff may be coming under financial pressures or worrying about their jobs.

Danny McLaughlin, a fraud expert at auditing firm KPMG LLP, warns that staff under pressure, if given the opportunity, will find ways of justifying stealing from their company. The opportunity can arise through lax controls or a general approach in the organisation that encourages people to bend the rules. "Some will have access to sensitive data that they can use to give them a flying start with their new employer, or to set up on their own," he says.

Last year, KPMG analysed 360 cases of fraud, and produced its 'Profile of a Fraudster' to show the type of person that is most drawn to swindling their company. They found that most (85%) were male and 70% were between 36 and 55 years old. Members of management, including board members, accounted for 86% of all profiles.

"Most destructive fraud is done by senior management, because they know how things operate and they have the ability to coerce or intimidate others in the company," said McLaughlin. "Just think of people like Robert Maxwell and Conrad Black. They are less likely to be challenged by subordinates, and less likely to be suspected of wrongdoing by their colleagues."

McLaughlin added that technical controls were not enough to deter senior management from crime, and that companies need effective corporate governance through its auditing committee and non-executive directors. "They need to challenge and question. They need to look at the effectiveness of controls, audit and other supervisory functions."

When companies are planning to lay off staff, it is in their best interests to do it sensitively, says Steve Flatt, a director of the Liverpool-based Psychological Therapies Unit who has recently advised car companies on how to manage redundancies. "If employees are kept in the picture throughout [the redundancy process], then the employees affected are much more likely to treat the company reasonably and accept the situation and move on without trying to destroy or disrupt," he said.

But he acknowledged that some people may react aggressively regardless of how they are treated: "If an employee is a defensive, angry and resentful character in the first place, often well hidden in order to survive, then a loss of position can been seen as yet another reinforcement of that employee's victim status and produce a vengeful response no matter how the company treats them."

In other words, you always need some technical controls in place to prevent, or at least record, where information is copied. That may be done by installing data loss prevention software to control the movement of information, or by blocking off parts of the system, such as USB ports. But that is unlikely to be effective unless companies have gone through some form of data classification exercise to identify their most sensitive data, and few so far have done this.

Another vital step is to ensure that when staff leave the company, they do not retain access to systems. Stuart Hodkinson, U.K. country manager for security company Courion Corp., says that with the fast pace of change in companies, especially financial services, access control is in danger of being forgotten.

"The best way of handling it, especially when a large number of people are being asked to leave, is to do a bulk deprovisioning," he said. "An aggrieved employee has an opportunity to do damage or to take away privileged information."

Hodkinson said that companies underestimate the task of deprovisioning. "Organizations may think that simply terminating an employee's network access is sufficient protection. However, due to the complexity of today's Web-enabled IT environments, this approach is increasingly ineffective because it does not remove access to some Web-based accounts or online SaaS providers like Salesforce.com," he said. "Laid-off employees can easily exploit the lag time between being laid off and having all of their accounts shut off to access sensitive company information."

Tags: Data Protection Solutions and Strategy,  User Identities and Provisioning,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope User Identities and Provisioning Microsoft's Charney details new botnet protection, IdM technology at RSA How to perform an Active Directory health check Windows management tips: How to backup and restore Active Directory Will physical security integrators work with IT departments? Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Group to shed light on secure identity management threats Poor privileged account management practices leave security gap Content-aware IAM: Uniting user access and data rights Microsoft Windows 7 DirectAccess pros and cons

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary