| Certain situations are ripe for the onset of an insider attack. One of the most dangerous situations for a company to handle is the termination of key employees .When senior managers are terminated, the prospect that intellectual capital might be removed is extremely threatening to a company's reputation and viability. Obviously, both HR and the legal department should be involved from the beginning when a senior manager is removed for cause (or leaves to join a competitor). The person's network and physical access should be terminated , preferably while the employee is in an exit interview. The employee should then be allowed to remove any personal items from his or her office while under the supervision of another trusted person. A complete audit of any items or data that the employee might have had access to might be required. Even more dangerous from a computer security point of view is the termination of either a system administrator or a member of the security team. Because these personnel have the technical knowledge to evade detection, a thorough audit is required. This audit should focus on what information the employee might have removed and what access the employee might have to company systems. It should also look for any signs that the employee can access the systems after his or her termination. If the employee is a member of the incident response team, care must be taken to ensure that the personnel conducting the audit and investigation are trusted and that they are not conspiring with the ex-employee. Even if their reliability is above reproach, it might still be wise to have an external audit by a trusted third party, if only to demonstrate due diligence. This might also serve as a deterrent to future employees and a demonstration that the company takes security seriously, especially when a security person is involved. Terminate or Prosecute ? The ultimate decision in the investigation of an insider attack is whether to discipline the employee, terminate the person, prosecute the person, or some combination of these. This is not a simple decision, and it should be raised (at least in general terms) early in the investigation. Senior management should be briefed and must make the decision. This is a business decision, not a security one. A number of factors should be considered in this decision: -
What is required to terminate an employee? In the United States, if an employee was hired at-will, it is probably easy to terminate the employee for cause or even for no reason at all. If the employee is unionized or has an employment contract, it might be more difficult. If the investigation has to be sufficient to fire a contracted employee, it might be just as easy to prosecute the person at the same time. -
What is the nature of the offense, and is it likely that law enforcement will be interested? The offense might not be illegal. It might also not be great enough for a prosecutor (whether federal or local) to pursue a case. This might also depend on the relationship the incident response team has with local law enforcement and the standing of the company in the community. -
What is the reputational danger to the company if (when) knowledge of the incident becomes public? If the employee is prosecuted, full details of the incident will be released to the public. It might be possible, however, in an embarrassing incident to keep the details private, especially if the employee is disciplined and not terminated. An employee should not be terminated until the investigation is complete. Placing an employee on administrative leave protects the company from wrongful-termination lawsuits. In addition, it can be used to gain the employee's cooperation. For example, the employee could be told that the company will not press charges provided the employee provides all details of the attack. The employee also could be provided immunity if he or she agrees not to release information about the attack. The employee can even be offered a severance package, subject to certain conditions. | |
