5 things to do after your employee has gone rogue

Insider threats to businesses can be greater than those from the outside.

A survey recently conducted by Imperva showed that 39% of surveyed companies had experienced security incidents involving malicious employees in the past 12 months.

It is obviously essential for businesses to prevent any loss of data and to proactively take steps to protect their information.

However, the explosion of data, increasing use of technology systems and the threats to those systems becoming ever more varied, sophisticated and difficult to predict mean that it is no easy task – especially as employees can have access or information enabling them to side step procedures put in place to combat cybercrime.

>See also: Why organisations are getting cyber security so wrong

If you discover that you are a victim of a rogue employee and suffer data loss, there are a number of steps that you should do, immediately. Below are some top tips:

Stop any further loss of data/information

Whilst the damage may well already have been done, as a first step you should take action to ensure any ongoing leak is stopped and to protect any other information from being lost.

This may be technical or practical. However, in carrying out such action it is important to ensure that you have preserved evidence, digital and physical, such as by imaging servers, PCs and any relevant devices for use in subsequent litigation.

Engage the company response plan Bring together the response team if you have already put these in place in preparation for incidents.

If not, establish a task force or team who will be charged with the immediate response to the data loss, as well as its subsequent investigation, remediation and evaluation.

>See also: How common is insider misuse?

The team should include a nominated lead with authority to take key decisions.

It should also include individuals from across the company to ensure all parts of the business impacted by the data loss are sufficiently represented, as well as your information security and fraud officers, if you have them.

Legal advisers

Whether in-house or external, legal advisors are likely to have a key role on the team in terms of advising on next steps.

If action is required to recover and restrain the use of any lost data, then you should take urgent legal advice about obtaining an appropriate injunction as any such action, if pursued, must be taken without delay.

Involving legal advisers also can help documents that may be subsequently created attract legal privilege, which can protect those documents from disclosure, which could be useful in the event third parties ask to see them.

Where an employee has gone rogue, it is likely that your objectives will include disciplining that individual and potentially dismissing them from the company.

>See also: How to prevent the most dangerous cyber threat: insider attacks

However, it is important to take specialist employment law advice to ensure appropriate steps are taken to avoid giving the employee any procedural basis for claiming unfair dismissal or breach of their rights – regardless of the fact that you are the victim.

Consider whether any insurance policies may respond

In the immediate aftermath of an incident, a lot can be happening and the focus tends to be on the breach and mitigating the consequences.

Insurance policies may exclude intentional acts or only cover acts by certain individuals, such as members of the senior team.

However, if you have insurance that may be helpful it is important to check the terms early to ensure appropriate steps are taken to preserve any claims, for example by complying with the provisions regarding notifying insurers.

Manage information flows

Consider up-front who should receive information and share information on a need to know basis. This can help to preserve legal privilege in documents.

It is also important not to tip off others who may take advantage of the situation or potential weaknesses in your organisation’s infrastructure or procedures whilst you are in the process of addressing them.

Remember, internal and external threats do not go away whilst you are responding to an incident.

>See also: The 2016 cyber security roadmap

On the contrary, they can be greater or have a greater prospect of causing damage as attention is diverted to the incident and away from day to day activity.

Bear in mind any legal or sector requirements to report breaches and the time limits

Currently only communications providers are under a mandatory legal obligation to report personal data breaches within 24 hours.

However, this is set to change in 2018 with the prospect of the General Data Protection Regulation (GDPR) coming into force and the implementation of the so called Cyber Security Directive.

There may also be sector specific requirements and in any case the appropriate course of action, and the other individuals and third parties that should be notified, if any, needs to be considered on a case by case basis.

>See also: How to boost employee awareness in the age of the insider threat

All businesses should bear in mind that the time to identify and contain the data breach affects the cost to the business (2016 Cost of Data Breach Study by the Ponemon Institute).

It is obviously better to stop it happening, but it pays to be prepared and respond quickly.


Sourced by Helen Davenport, director, Gowling WLG

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...