Pfizer, Ubiquiti and Code42 all faced real or potential insider threats that could have been a lot worse if they did not have a plan to deal with them. Credit: undefined undefined / Getty Images Every company, regardless of size, should have an insider risk management playbook in place to address the insider threat. The human factor is always in play, mistakes will happen that inadvertently place the company at risk. The other side of the human factor are the malevolent individuals who opt to break trust and willingly push aside their NDAs and in-place IT data handling processes and procedures to knowingly abscond with sensitive data.Three recent incidents underscore the importance of having an insider risk management playbook:Ubiquiti’s insider risk mitigation plan pays offMalicious insider Nikolas Sharp of Ubiquiti stole his company’s data and then attempted to maneuver the post-investigation efforts away from his own actions and to extort from his employer $2 million. While the Ubiquiti team did not stop the exfiltration of the data, once an anomalous activity was discovered, they executed on their mitigation plan, and eventually brought in the FBI to address the criminal aspects of their insider incident.Code42 detects improper downloads earlyPrime components of the mitigation playbook, or plan, according to Code42’s vice president of portfolio strategy and product marketing, Mark Wojtasiak, is embracing the three T’s of transparency, training and technology. In his December 2021 piece, “Your employees are making a run for it, and so is your data,” he emphasized the need to “Teach them company data ownership policies, set expectations in terms of ownership and develop guidelines they can follow when in doubt.” Wojtasiak, wrote the above from a position of personal experience. Speaking to this writer for an earlier article, he noted how a recent incident within his own team at Code42 served to highlight the importance of having the insider incident playbook. In the Code42 case, the employee had given their notice that they were leaving Code42 for another opportunity. The company standard operating procedure (SOP) called for a review of the last 90 days of activity by the employee. The review team discovered the employee had downloaded sensitive internal customer lists to an unmanaged device.Wojtasiak explained how the playbook allowed Code42 to immediately work the problem. HR, Legal, infosec and the business unit all have a role. He emphasized how the working assumption within Code42 was that the employee’s actions were not a result of malicious intent. The facts directed the investigation, and they would learn that such was not the case and that the employee had in fact intended to take the customer lists to his next employer. The employee availed his devices to the mitigation team, which allowed the recovery of the pilfered data. Then when the internal aspects of the incident concluded, Wojtasiak shared how the CEO of Code42 shared directly with the CEO of the company which was hiring the departing Code42 employee what had transpired, how it was handled internally.Pfizer threat monitoring identifies data theftPfizer had beefed up its insider threat monitoring capability when it implemented a technology that monitored employee uploads to devices in October 2021. On October 29, they discovered that between October 23 and 26 an employee transferred over 12,000 files “from her Pfizer laptop to an online Google Drive.”The insider risk mitigation team’s efforts are detailed within their court filings. Immediately upon discovery of the October 2021 download of the 12,000 files, the team initiated a “digital review of the employee’s emails, file access and internet activity on her Pfizer-issued laptop.” This investigation showed, “that she had been interviewing with and had received an offer of employment from Xencor.”With this information in hand, the mitigation effort brought together HR, security, and IT (forensics). The team met and then spoke with the employee, twice on October 29. One of those interviews occurred over a video teleconference where the employee “logged onto her Google Drive account and deleted all of the files saved there.” On November 1, the employee came into Pfizer’s offices and provided her company laptop and provided access to her personal laptop for forensic review. The employee was placed on administrative leave and the subsequent investigation showed that the laptop provided was not the laptop which contained the 12,000 documents, and that the company’s data, data which included COVID-19 research was no longer in their control.Pfizer acknowledges in their court filings the detection of the theft, and resulting investigation confirmed their findings, and that this employee attempted to dupe them into thinking that their internal documents were not at risk. Pfizer believes its former employee and others continue to possess Pfizer’s information. Importance of an insider risk playbookThose who eschew the idea of having a playbook in place will find themselves reinventing the wheel with each insider incident. When it comes to reacting to the discovery that a colleague may have mishandled data, having a process takes the emotion out of the equation.While the makeup of the mitigation team may vary from company to company including HR, legal, security, IT, and the business unit are table stakes. Equally important to identifying elements of the mitigation team is ironing out defined roles and expectations when an incident percolates to the top and requires handling.What’s in your playbook? Related content news Is China waging a cyber war with Taiwan? Nation-state hacking groups based in China have sharply ramped up cyberattacks against Taiwan this year, according to multiple reports. By Gagandeep Kaur Dec 01, 2023 4 mins Cyberattacks Government news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe