Three recent events prove the need for an insider risk playbook

Every company, regardless of size, should have an insider risk management playbook in place to address the insider threat. The human factor is always in play, mistakes will happen that inadvertently place the company at risk. The other side of the human factor are the malevolent individuals who opt to break trust and willingly push aside their NDAs and in-place IT data handling processes and procedures to knowingly abscond with sensitive data.

Three recent incidents underscore the importance of having an insider risk management playbook:

Ubiquiti’s insider risk mitigation plan pays off

Malicious insider Nikolas Sharp of Ubiquiti stole his company’s data and then attempted to maneuver the post-investigation efforts away from his own actions and to extort from his employer $2 million. While the Ubiquiti team did not stop the exfiltration of the data, once an anomalous activity was discovered, they executed on their mitigation plan, and eventually brought in the FBI to address the criminal aspects of their insider incident.

Code42 detects improper downloads early

Prime components of the mitigation playbook, or plan, according to Code42’s vice president of portfolio strategy and product marketing, Mark Wojtasiak, is embracing the three T’s of transparency, training and technology. In his December 2021 piece, “Your employees are making a run for it, and so is your data,” he emphasized the need to “Teach them company data ownership policies, set expectations in terms of ownership and develop guidelines they can follow when in doubt.”

Wojtasiak, wrote the above from a position of personal experience. Speaking to this writer for an earlier article, he noted how a recent incident within his own team at Code42 served to highlight the importance of having the insider incident playbook. In the Code42 case, the employee had given their notice that they were leaving Code42 for another opportunity. The company standard operating procedure (SOP) called for a review of the last 90 days of activity by the employee. The review team discovered the employee had downloaded sensitive internal customer lists to an unmanaged device.

Wojtasiak explained how the playbook allowed Code42 to immediately work the problem. HR, Legal, infosec and the business unit all have a role. He emphasized how the working assumption within Code42 was that the employee’s actions were not a result of malicious intent. The facts directed the investigation, and they would learn that such was not the case and that the employee had in fact intended to take the customer lists to his next employer.

The employee availed his devices to the mitigation team, which allowed the recovery of the pilfered data. Then when the internal aspects of the incident concluded, Wojtasiak shared how the CEO of Code42 shared directly with the CEO of the company which was hiring the departing Code42 employee what had transpired, how it was handled internally.

Pfizer threat monitoring identifies data theft

Pfizer had beefed up its insider threat monitoring capability when it implemented a technology that monitored employee uploads to devices in October 2021. On October 29, they discovered that between October 23 and 26 an employee transferred over 12,000 files “from her Pfizer laptop to an online Google Drive.”

The insider risk mitigation team’s efforts are detailed within their court filings. Immediately upon discovery of the October 2021 download of the 12,000 files, the team initiated a “digital review of the employee’s emails, file access and internet activity on her Pfizer-issued laptop.” This investigation showed, “that she had been interviewing with and had received an offer of employment from Xencor.”

With this information in hand, the mitigation effort brought together HR, security, and IT (forensics). The team met and then spoke with the employee, twice on October 29. One of those interviews occurred over a video teleconference where the employee “logged onto her Google Drive account and deleted all of the files saved there.” On November 1, the employee came into Pfizer’s offices and provided her company laptop and provided access to her personal laptop for forensic review.  

The employee was placed on administrative leave and the subsequent investigation showed that the laptop provided was not the laptop which contained the 12,000 documents, and that the company’s data, data which included COVID-19 research was no longer in their control.

Pfizer acknowledges in their court filings the detection of the theft, and resulting investigation confirmed their findings, and that this employee attempted to dupe them into thinking that their internal documents were not at risk. Pfizer believes its former employee and others continue to possess Pfizer’s information.

Importance of an insider risk playbook

Those who eschew the idea of having a playbook in place will find themselves reinventing the wheel with each insider incident. When it comes to reacting to the discovery that a colleague may have mishandled data, having a process takes the emotion out of the equation.

While the makeup of the mitigation team may vary from company to company including HR, legal, security, IT, and the business unit are table stakes. Equally important to identifying elements of the mitigation team is ironing out defined roles and expectations when an incident percolates to the top and requires handling.

What’s in your playbook?