Boosting Your Insider Threat Program: Examples, Indicators, and Mitigation Steps – The Monitor, March 2019

In March, 18% of all Kroll’s Cyber Risk engagements were Insider Threat incidents, most commonly affecting the healthcare and financial service industries. Kroll reviewed cases that involved former employees gaining unauthorized access to data, as well as employees inadvertently exposing confidential data.

According to the New Jersey Cybercrime Communications and Integration Cell (NJCCIC), “Insider Threats can include current or departing employees, contractors, third party vendors, technicians, business partners, and anyone granted administrator privileges. If organizations do not have the right preventative measures in place and management is not cognizant of the indicators of an insider threat, they are putting themselves at great risk.”

Insider threat incidents involving former employees are increasing as companies move proprietary information to cloud-based services. Departing employees with active credentials pose a threat to even the most secure networks, as the examples below highlight:

  • In a recent incident covered in open source news reports, a disgruntled former employee at a UK-based firm stole a coworker’s credentials and deleted 23 of his former company’s cloud servers.
  • A New Jersey woman stole trade secrets from her employer, posting the stolen material on the website of a Chinese subsidiary company, in which she was part owner. She admitted to accessing an internal company database and downloading information related to chemical compounds onto her company-issued laptop. She then transferred the information to her personal home computer by sending it to her personal e-mail address or via a USB thumb drive.

Cases like these demonstrate the high-impact nature of some insider threat investigations. It is imperative that organizations deploy procedures to make it as difficult as possible for departing or disgruntled employees to exfiltrate sensitive data or access key internal systems.

Monetizing Insider Threats on the Dark Web

The screenshot below shows a possible insider threat actor advertising access to checks on hacker forum, which could be evidence of a check fraud scheme involving a potential employee of the bank.

Boosting Your Insider Threat Program: Examples, Indicators and Mitigation Steps

Follow These Best Practices1 to Address Insider Threats Within Your Organization

  • Non-Disclosure Agreement (NDA): Ensure the organization has a clear NDA and employees acknowledge and sign a copy as part of their onboarding.
  • Apply the Principle of Least Privilege: Limit network access to those who need it for their jobs.
  • Restrict the use of removable media: Limit the ability of exporting data onto USB drives and memory cards.
  • Use Data Loss Prevention (DLP) software: Consider adopting DLP software solutions to protect and monitor the transmission of sensitive data while enforcing security policy compliance.
  • Watch for early warning indicators: Signs include if an employee works unscheduled hours or uses remote access during off-hours, exports of large amounts of data without reason and never taking a vacation.

Additionally, consider incorporating these three steps into your human resources procedures for exiting employees1:

  • During exit interviews: If an employee gives a traditional two-week notice upon resignation, be sure to conduct a thorough exit interview to discuss document retention and technology return policies, as well as a review of current account access and what can be expected as they prepare for departure. It would be wise to include a member of your IT security team in the meeting as well to ensure they are aware of any active accounts and company-issued devices still in use by the employee.
  • When handling immediate employee removal: In the event the employee is terminated, gives a resignation notice that is effective immediately or shows signs of hostility when resigning, you should remove him or her from the premises as quickly and safely as possible. Security or management should ensure that the employee does not leave with any data that violates company policy.
  • Immediately limit physical and electronic access: Before the employee permanently leaves the premises, make sure to immediately deactivate, disable or delete the following for physical and network security: network accounts (local and remote access), ID authentication tokens, security codes, email accounts and access cards.

This article was extracted from the Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The newsletter also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscribe now.

1 NJCCIC; “Insider Threat Demands a Proactive Approach”; 2 Sep 2015; URL:

<span>Boosting Your Insider Threat Program: Examples, Indicators, and Mitigation Steps &ndash; The Monitor, March 2019</span> 2019-04-02T00:00:00.0000000 /en/insights/publications/cyber/monitor/insider-threat-program-indicators-mitigation-steps /-/media/kroll/images/publications/featured-images/2019/insider-threat-program.ashx publication {A7C7FD4E-7E16-41C7-B6F3-A0F8961B33ED} {ABED7C58-9FE4-4040-81ED-C6B1B2FB182B} {3C7B541B-9C46-4B7C-B32F-5171B3FA949B} {BFB3FCA2-C3BE-42CF-8A4B-F761BFAEC095}

Sign up for The Monitor

Related Services

Cyber Risk

Kroll CyberDetectER®

Proactively monitor, detect, and respond to threats on endpoints and across the surface, deep, and dark web.

Kroll CyberDetectER®
Cyber Risk

Cyber Litigation Support

Expert witnesses on any cyber topic including forensic data collection and analysis.

Cyber Litigation Support