FORCEPOINT FEDERAL FOCUS: CISO, should you be concerned when your employee exports Outlook contacts?
By Daniel Velez, Sr. Manager, Insider Threat Operations
This week the Washington Post reported a former Energy Department employee was sentenced to 18 months in prison after offering to help a foreign government infiltrate the agency’s computer system to steal nuclear secrets and then attempting an email “spear-phishing” attack in an FBI sting operation. The article did not say the former employee exported the contacts from Outlook when he was terminated by the Nuclear Regulatory Commission in 2010 but this is certainly one way he might have accumulated a valuable list of current NRC employees in specific positions in agency programs and operations. According to the 2015 Ponemon report “The Unintentional Insider Risk in United States and German Organizations” of the U.S. organizations surveyed, 86% assessed it likely their users would fall victim to spear-phishing attempts. The odds were in the former Energy Department employee’s favor the attack would be effective.
Employees leaving their job often take data with them – we are well past arguing that point. An article at PCWorld even suggested that your users could create a “Digital Life Raft” containing contacts, important emails, and recent work files ready in a special folder on their computer desktop in case of a sudden departure from their job. The suggestion does include a warning that employees could prepare “while respecting your company’s intellectual property rights” in a warning. Uh, okay, so should we expect your agency’s employees to be knowledgeable enough to make that decision?
Besides maybe replacing an agency iPhone or supplying a user with a new laptop, there are few good reasons for a user to use the Outlook import/export wizard to export his/her contacts lists to a flat file on the desktop. Does your agency’s risk management plans include looking at these events in context to decide if this activity is reasonable? The National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs includes requirements for this kind of issue.
There are a few questions to ask first. Are Outlook contacts your agency’s intellectual property? Are LinkedIn contacts trade secrets? Attorneys (and I am not one and this is not legal advice) across the county continue to explore these issues in the courts but your agency’s employees are probably not reading legal journals in their spare time to keep track of the developments. So what can you do?
- Develop a policy. An agency policy on the handling of internal and external contacts might flow down into contracts, non-disclosure agreements, and network interconnection agreements.
- Train. Educate your users on the policy so they understand the proprietary nature of these contacts and remind them you have a right to audit their use of the agency’s information systems to verify compliance with the policy.
- Monitor employee compliance with your policies. Tune your user activity monitoring and data leakage prevention solutions to detect policy violations. Can your solutions detect this activity and provide the context necessary to take appropriate action?
- Take action. Follow through on policy enforcement and don’t forget to feed the results back into your policies, processes, and training. You’re going to find ways to enable your employees to work smarter and safer.
Forcepoint’s 4D approach to security – Defend, Detect, Decide, Defeat – protects your agency against determined adversaries and uninformed or untrained users. Comprehensive solutions that monitor data and human behavior are critical for organizations to effectively detect these kinds of risky activities and to decide if the actions are a threat. Implement some auditing surrounding the handling of email contacts. You may be surprised to discover what your users are doing, and who is about to leave your agency.
Sources:
http://www.cert.org/insider-threat/publications/
http://www.pcworld.com/article/224251/leaving_your_job.html
https://www.whitehouse.gov/the-press-office/2012/11/21/presidential-memorandum-national-insider-threat-policy-and-minimum-stand
https://www.justice.gov/oip/foia-guide-2004-edition-exemption-4
https://www.linkedin.com/pulse/contacts-linkedin-may-considered-trade-secrets-rosana-ortega