Unconventional ways to deal with malicious insider threats

While most organizations understand the insider threat that vindictive employees can pose, the potential harm from the threat is often underestimated. A 2021 report by Forrester found fear of a layoff was the likely cause for a vengeful employee to turn on the organization and choose to exfiltrate data, and screenshot or download sensitive information. While most organizations recognize the need to cut off employee access after they leave, many don't account for the harm a disgruntled employee can inflict in the last few weeks or days in a role. If emotions are high when an employee is terminated or laid off, this can be even more serious; the odds of malicious behavior are greater.

This is why a certain amount of tact in dealing with employee terminations is required to prevent a potentially avenging employee from turning against the organization. While an HR representative can smooth out the uncomfortable experience of an employee dismissal, as an IT administrator, here's what you need to do to ensure a smooth employee offboarding experience:

1. The organization's SOC teams that handle insider threats should be aware of employee dismissals. This can be accomplished by providing the security analyst team with a list of employees who will be leaving soon.

2. These employees should be treated the same way third-parties service providers are. They should be monitored for anomalies in their behavior from the time the decision is made to dismiss them, up to dismissal. Having a SIEM solution with UEBA capabilities is imperative. Dynamic or static peer group configurations can help you proactively build clusters based on network behavior or predefine peer groups that users are categorized under based on attributes.

3. Opting for CASB and DLP solutions are a good investment, and can be invaluable in this scenario. Since employees with ill-intent could upload company-sensitive files to their personal clouds, CASBs or DLP solutions can monitor this sort of activity and provide alerts when this happens.

4. Any termination of an employee's service at the organization is better handled face-to-face or over video conferencing. And it is best to shut down their logical and physical accesses when the employee is being informed.

Addressing the network and technology security aspects of an employee termination is vital, but it's wise to also be aware of the emotional aspect, even if it is mostly handled by the HR department. An organization can never be too careful when it comes to network security, so it's best to weave these practices into the insider threat security strategy.