When is the last time you threw a party?
Imagine putting together a small party for ten people. You worked hard to make the event successful. You invite people into your house -- where you keep your prized possessions. The things you find valuable.
The day before the party you learn that six of the attendees will take something home with them. Yes, it’s theft. You can’t cancel the party.
What do you do?
Seem unlikely? Mike Tierney explains what happens at work all the time with this analogy. Except instead of your home and personal property, they take from the company. Not just the pens (and perhaps a red swingline stapler).
They are stealing company secrets and valuable information.
What can we do?
I talked with Mike Tierney (LinkedIn, @mikejtierney) the COO of Veriato Inc. about some strategies for security leaders to better handle the risk. As with our last conversation (read it here), he didn’t disappoint. Not only is he fun to talk with, but he offered three concrete steps you can take today to prepare for tomorrow.
Step 1: meet with legal to translate agreements into plain language
We have policies, agreements, and contracts that govern the bulk of our employment. Most (strive for all) employees and contractors sign agreements when they start working. These agreements cover expectations about the ownership and protection of information.
These agreements are your first line of defense.
If you don’t understand the agreement, chances are other people won’t either. The first step -- provided these agreements exist -- is to ensure a plain language version.
Work with your legal team to incorporate the plain language into what exists today. As a tip, you can usually just append the translation using the phrase, “for the avoidance of doubt.” This is an opportunity to partner for the mutual benefit of protecting the company.
When it’s ready (and tested), explain the policies and agreements to people. Use the plain language to ensure mutual understanding. Make it part of the onboarding process. Then review it with them again when they leave the company.
Mike explained that “while these are simple steps, many organizations struggle to execute them well. An easy-to-understand document makes it clear how serious the company is. And makes it easier for employees to comply."
Step 2: visit with human resources to get instant notification of departures
When people leave, you need to know RIGHT AWAY. The conversation is simple. The process is elusive for many.
Start by including HR in the assessment of positional risk during the hiring process. Mike explained how in A reality check for security leaders on insider risk. It involves using a simple scale to communicate priority and action.
The scale helps because it makes the communication simple. When someone leaves, they tip the scale. All the way to 10 (save 11 for special circumstances). That’s an immediate signal security can use to move to step 3 below.
Using a scale sidesteps the “we’d love to tell you, but we can’t because it’s a matter of personnel.” First, you can call their bluff on that statement. Broader, someone leaving the company with access to information is a corporate event. It needs review. Avoid the fight with the scale and corresponding signal.
Mike added “In my experience, HR wants to help. More so, once they understand the problem and how significant a role they can play in addressing it. They play an important role at the intersection of employer and employee. Give them they means they need to improve security without compromising that unique role."
Step 3: what to do when they leave (or when you find out)
When you learn someone left, review the last 30 days of activity. Longer if you have it. Most people know they are leaving about a month in advance. This tends to be when people do the most damage.
Look for signs of data exfiltration. Consider the methods available to them to move information:
- Unusual behavior in email: if they start sending themselves documents by email. Or when they use free email services to upload and send files and information to themselves.
- Bring your own cloud (BYOC): while uploading files to the Internet isn’t new, it is easier. Look for signs of using personal cloud-based storage accounts to move information.
- Portable storage: are they using portable storage to copy and move data off premise
Some of these are easier to detect than others. It might need a blend of physical and electronic controls to determine. You might have blind spots, too. At this stage, the goal is to learn to take actions that protect the organization.
The smart approach for security leaders to get started
It’s easy to draw on existing experience and focus on the downside. While controls are helpful, the first step is to build a clear and effective process. Create a good work environment that also protects information when people leave.
Insight and experience are excellent guides. Use what you have in place right now to follow these three steps for the next ten people who leave the company. Form a “task force” between legal, HR, and security. Agree on the process.
When each of the next 10 people leave, measure the steps and how long it takes. Consider what you learn. Document what worked. Note where you had blind spots. Look for ways to collaborate with other teams.
This is a chance to show that security doesn’t exist in a vacuum. Help others understand that security is a shared responsibility. Offer your leadership to elevate the people around you. Work with your partners in legal and HR to develop a better way to protect the company.
That way you enjoy the party while protecting your possessions. Mike added, “And maybe you can use that 11 setting on your amplifier …”