7 Tips to Avoid Data Theft by Ex-Employees

By Pierre Dehombreux, Director of Information Technology, Whiteriver Unified School District

Disabling the user accounts of fired employees right after their dismissal does not guarantee they won’t break through your defenses. For example, they can bribe friendly and perhaps sympathetic former colleagues — who are still current employees with legitimate data access — to help them steal your data. If you are an IT director, your boss will most likely say you are to blame for letting suspicious activity go unnoticed. This is exactly what occurred in my case. Is there a way to prove your innocence, save your job and prevent such incidents from happening in the future? Let me share my story.

Here’s what happened

At the beginning of the school year, one of our teachers came to my office with some disturbing news: Another school, which is 30 minutes away, was using absolutely the same curriculum maps (syllabuses), as we do — for every single subject. It was obvious that someone had stolen our teaching plan for the whole school year.

It was obvious that someone had stolen our teaching plan for the whole school year

Such an incident is a nightmare for any school district. State standards require every school to come up with an authentic curriculum for all subjects in the run-up to the new academic year. It is like a business plan — it contains detailed teaching materials, learning strategy, assessment criteria and so on. In fact, our teachers spend most of their summer preparing our new curriculum, so it’s natural for them to be upset when others take advantage of their hard work. But there are bigger consequences: curriculum maps are trade secrets in the education industry, and their theft by current employees for profit gives the competing school they sell it to an unfair advantage, and also calls into question my competence as an IT director.

Houston, we have a problem

Soon I was standing on the carpet of the superintendent — essentially the CEO of Whiteriver Unified School District. No surprise, he was ready to fire me because I am the one who is responsible for securing the data at our school. Luckily, restoring my reputation was a matter of a couple of clicks.

I opened the software solution that I use to monitor activity across the network and generated a report on data access trends for the file share where the curriculum maps are stored, so I could see who had been accessing them and what actions they performed. I quickly spotted an unusual spike of activity: Within the space of just 3–5 minutes, two teachers had accessed all the documents they could reach on that file share. I realized that I had probably just fingered the attackers.

With this clear evidence at hand, it was not hard to explain to the superintendent that these two insiders had most likely committed the crime, and then to get a confession from them. They admitted that two other teachers, who used to work at our school and then left for the neighboring school, gave them money in return for copies of the curriculum maps, so they could use these strategic plans in their new positions. And since they had used only their legitimate access rights, it was clear that I had not been remiss in my duties by allowing, for example, an outside attacker to breach our network and steal the data unnoticed.

7 Tips to Pin up on the Board

Though the 2 ex-employees orchestrated the data theft, they did not act directly; instead, they paid insiders to carry out their scheme. Here are 7 key tips that will show you how to mitigate the risk of employee data theft.

Tip #1. Know where your sensitive data resides. By staying aware of which data is sensitive, and which data might become sensitive, you can know which parts of your infrastructure require particular attention.

Tip #2. Enforce the least-privilege principle. Giving people the fewest access rights they need to do their jobs is a well-known best practice that really works. It reduces the risk of data misuse by insiders and complicates the task of data theft for outside malefactors, who might have to bribe a lot more people to get the data they want, increasing the odds that they will be caught. Remember the old adage, “Three may keep a secret, if two of them are dead.”

Tip #3. Continuously review activity around critical data. With visibility into user actions across the IT environment, you can unmask data theft in its early stages. After this data theft by rogue insiders, I began reviewing user activity daily, and it has already helped me prevent data misuse. For instance, one of our higher-level employees with broad permissions recently copied a large number of files onto a USB stick. With the solution for user activity monitoring, I detected the bulk copying activity the same day. I reached out to him directly, deleted the files from his USB and explained our security policies to him once again.

Tip #4. Analyze user behavior. However, just reviewing activity is not enough. To detect misuse as early as possible, I started using the software solution to also facilitate behavior anomaly discovery and alert me about risky actions by potentially malicious actors. For instance, I was able to quickly set up a custom alert that notifies me any time a user exceeds the number of sensitive file reads I find worrisome.

Tip #5. Communicate and enforce clear security policies. At the beginning of each school year, I explain our security policies to all teachers and other staff who deal with important data, so they know how to work with it properly. I make sure to stress that their level of access requires the highest level of responsibility and accountability. I also articulate the consequences of data misuse, such as reprimand, dismissal and even lawsuits. Do not forget to include your senior management and board. Because they typically have broader access to your organization’s files and sensitive data, their accounts are appealing targets for hackers and their departure (friendly or unfriendly) from the organization poses a much higher risk.

Tip #6. Validate your backups. In addition to stealing data, departing employees sometimes also damage or delete the original files. Therefore, it is critical to take proper backups and keep them safe. In our school district, apart from doing regular offline and online backups, we continuously monitor access to the backup files to make sure there is nothing malicious going on that can leave us vulnerable if anyone deletes, encrypts or otherwise tampers with our data.

Tip #7. Have a proper off-boarding process. The greatest victory is the one that requires no battle, so our school carefully follows effective user termination best practices to cut off avenues that departing employees might otherwise use to steal data. When my team receives an approved resignation or termination document from HR, we immediately disable the ex-employee’s account in Active Directory; each quarter, we delete all the disabled accounts. If an employee is known to be disgruntled, I either disable his account before the actual termination or keep a close eye on his activity the day when he is scheduled to be fired.

Ex-employees know your IT infrastructure and staff, as well as your strengths and weaknesses, so well that they can turn your life into a horror story. Though there is no way to completely nullify the threat of fired employees, by taking these 7 tips to heart, you can dramatically reduce the chances that their schemes will succeed.

Read more about how a departing employee can turn into a security nightmare.

Director of Information Technology at Whiteriver Unified School. An IT professional with more than 19 years of experience. Pierre holds MCSE and CISSP certifications. In the Netwrix blog, he describes issues he has faced in his work, such as a ransomware attack, data theft and malicious insider activity, and shares the lessons he learned from them.