Teachable Moment: An Insider Threat on Your Team
No manager or executive wants to receive a phone call informing them that a team member has engaged in suspicious activities that require a security investigation. But that’s just what happened to Code42’s vice president of portfolio strategy and product marketing, Mark Wojtasiak. Code42’s internal instance of its insider risk management toolbox discovered a member of Wojtasiak’s team, who had recently given notice, had downloaded inside information to an unauthorized device.
Insider Discovered
Standard operating procedure for the insider risk management program at Code42 is to review a departing employee’s internal digital activities for the previous 90 days, Wojtasiak explained in a December 2021 interview. The purpose of the review is to determine if the departing individual “introduced any risk” to the company. The nature of that potential risk could be any number of things; the collection of sensitive information, for example, or otherwise acting in a manner that falls outside the established parameters of the employee handbook or code of conduct.
In this instance, the review showed that this individual downloaded sensitive files from the company’s Salesforce instance to an “unmanaged device” the week before their resignation date.
Once discovered, the internal process, which included personnel from infosec, HR, legal and Wojtasiak’s business unit, swung into action. This process included briefing the business unit on the situation and pulling together information and documentation about what was known and unknown, followed by an interview with the individual. The individual acknowledged they had downloaded the Code42 customer list from Salesforce and saved the list to an external device, one which was not managed by his employer. The individual was fully cooperative with the investigation and made their laptop and the offending device available for investigation. The individual also attested to the fact that the copies they’d downloaded were the only ones made. The employee departed and Code42’s CEO had a chat with the employee’s new company’s CEO to let them know that the event occurred and how it was handled.
Teachable Moments
While the discovery of the insider by Code42’s own tools is sufficiently noteworthy by itself, Wojtasiak shared how the incident served as an opportunity to review internal processes and procedures surrounding access to sensitive data. In this instance, the ability for any employee to exfiltrate customer lists from Salesforce was revealed. This prompted the IT team to review their current controls and make recommendations to the business unit on how to avoid a repeat of the event.
Wojtasiak’s main takeaway from the event? Every experience provides teachable moments and opportunities to learn and grow.
In this case, lemonade was made from lemons—the company not only successfully addressed an insider’s malevolent actions, but the company was also able to adjust their internal business processes and mitigate a previously unknown (or unrecognized) risk. The event also served as a reminder that new employees may bring with them the intellectual property of a former employer; in that case, an ethical organization should forbid the introduction of this type of IP during onboarding.
