In the first part of Model Employee = Insider Threat? I touched on different red flags that “model” employees exhibit, that may actually indicate an insider threat. Focusing on the new survey by CareerBuilder that indicated the number of employees who are not taking vacation time this year is increasing, I tried to highlight the security problems associated with that trend.

In this installment, I would like to focus on the study that indicates 60 percent of employees who quit a job or are asked to leave steal company data, and talk a little more about high risk “model” behavior, and what companies can do to protect themselves. This risky behavior is just as likely to be exhibited just prior to a departure as during normal daily business.

One of the most common phrases a incident response team will hear in regards to a data breach is, “He was a star performer, so he was above suspicion and became irate when questioned.” Star performers should never be above suspicion, and anger or quick temper can indicate deeper stress and strain which should be examined as a potential red flag. Here are some additional indicators of employee stress or strain that may lead to an insider compromise:

• Long hours and lack of vacation could indicate financial troubles. Change in lifestyle such as car and clothes may indicate these difficulties. This may be evidence of a gambling or debt problem, or a reflection of the funds they are stealing.
• Suddenly working from home, working strange hours, or working remotely. These can all be indicators that an employee is trying to shield their activities from coworkers and managers, or that they are under some sort of strain. An example: an employee set up a VPN for legitimate employees which the IT department was unaware of until it was used during an exploit three months after the employee was terminated.
• Volunteering for work. I talked about this briefly in the first part of this discussion, but there is further considerations. Volunteering to finish other employee’s projects or work can lead to username, password and access sharing- violating least privileged, separation of duties and account controls in such a manner that IT would most likely not be alerted. Additionally, budget cuts may mean chronic under-staffing, which can add undue stress and corner-cutting in this area.
• Cultural differences can make it difficult to recognize behavior indicators. More and more IT functions are outsourced, and our workforce in America becomes increasingly culturally diverse. Differences in behavior patterns, concepts of ownership and compensation may all create unique problems in identifying and addressing insider threat.

It is important to realize that insider threats are not just a people problem, but a technical problem as well. There are certain controls and best practices that you can follow to help identify and address threats and minimize your organizations risk.

• Exercise extra caution with system administrators, technical or privileges users. The actions by these users must be examined using a checks and balances procedure and separations of duties policies.
• Use append only controls to track changes
• Establish baseline system configurations
• Enforce account management policies and review systems periodically to confirm appropriate configurations
• Update and review roles, accounts and permissions regularly and when roles or positions change
• Periodic security awareness training for the whole staff
• Log, monitor and audit employee online accounts
• Investigate repeated attempts to access blocked applications, websites or privileges
• Back up data regularly
• Develop an insider incident response plan

Again, this is both a people and a technical problem. Many companies are introducing new policies or benefits to help relieve the stress and strain during this difficult economic time. Offering employee assistance benefits that include debt relief counselors, flexible payday borrowing, carpool and mass transit benefits, addiction support group access and legal aid are all methods that have become popular among large companies. Even acknowledging stress in a meeting and restating an open door policy may be enough to encourage a distressed employee to ask for help, instead of helping themselves to your company’s profits.

Learn more about insider threats from U.S. Security Awareness.

Today, I read a survey by CareerBuilder detailing the new statistics regarding employees and vacation time. A quick run down:

• 35% of workers are not taking a vacation this year
• 71% of those say they can’t afford it
• One in five workers said they are either afraid of losing their jobs if they go on vacation or feel guilty being away from the office
• Half (50%) of employers say they expect employees to check in with the office while they are away

Several blogs and articles have discussed the increasing reluctance of employees to take vacation time, even if it is mandatory. While reading these articles, I can’t help but notice a lack of discussion about the security implications of this.

Internal investigators will tell you that a employee refusing to take vacation time, or refusing to take a large amount of time at once can be a red flag. Why? An employee committing embezzlement, fraud, stealing data or otherwise manipulating books or records needs to have continuous control over those systems to maintain the theft and avoid being caught.

In fact, many aspects of what we consider to be “model” employee behavior can actually be a red flag:

• Volunteers often for new projects and duties; particularly in security, finance, or record keeping duties. Often these duties, like processing receipts for reimbursement, are the least desirable duties. After a few volunteer projects, a manager might find that least privilege and separation of duties policies may be being circumvented.
• Early in, late out. First in and last out employees have access to files, computers and offices with little or no security or monitoring measures. The employee offering to make coffee in the morning maybe up to something more than making sure the office is perky.
• Constantly remaining in touch while on vacation, doing work while on vacation, and working overtime before and after vacation. These may all be attempts at communicating with someone in collusion with the fraud, or at maintaining control over the work product. If your employee insists that he or she completes all work before going on vacation instead of handing over the materials to another employee, this could be cause for concern.

You can see that many people would exhibit this behavior normally during a time of economic crisis when they are particularly concerned about job security. This is why it is important to have a good vacation policy, regular internal audits and reviews, and strict separation of duties and least privilege policies. Managers and executives can set a good example by taking their vacation time in large chunks, and remaining truly on vacation. Encourage employee work-life balance and well being, and insist that they really “leave the office behind” while on holiday. Not only will you have happier and more productive workers, but you can avoid a simple security pitfall in the process.

I would like to say a special thanks to Mark Warner, who spoke on these issues at the Oregon Chapter of the Association of Certified Fraud Examiners lunch meeting in Portland, OR March 2009.