Microsoft 365 security Insider threats in cyber security: What happens when employees leave? March 15, 2021 By: Chris Hardee Last updated: March 22, 2024 4 min read Copied! What happens when an employee leaves your organization? Learn how to avoid insider threats by always staying aware of your users' activity. Table of contents Insider threats are challenging to trackHow to prevent risky behavior in Office 365When HR and legal work together What happens when an employee leaves your organization? They may have followed the rules and submitted their two weeks’ notice. Then comes a two-week period in which they still have access to your systems. In that period, these employees have likely talked to competitors that would love to get their hands on your intellectual property. This was the topic of Insider Threats and Insider Risk Management, a Q&A session with Raman Kalyan, Director of Product Marketing at Microsoft, and Erin Miyake, Senior Program Manager, at Microsoft Ignite 2021. Insider threats are challenging to track The employees may have heard over the grapevine that there is detection in place for people trying to steal documents. However, they know they want the documents and are willing to risk detection. They might take sensitive files from SharePoint or a file share. They rename them to something innocuous like “Softball schedule” and then proceed to exfiltrate the files. However, they consider themselves clever (you sly dog), so they email one per day and print another. Upon completion, they delete the files from their computer so no one will be able to trace what they did, or so they think. These types of insider threats are intentional, methodical, and hard to detect. The employee is strategically picking the files they want to download and exfiltrate. They vary the channels using Dropbox, AWS, email, and printing. They believe each instance is not concerning, and admins won’t detect the pattern. They take a strategy where they leak the information slowly. Traditionally, this type of slow process would be hard to detect. How to prevent risky behavior in Office 365 You need to gain visibility into independent related activities and then sequence the activities on a set of files to get insight into the user’s intent. You also need a way to address these insider threats promptly (preferably before they leave). One way to do this is to create a new policy when someone leaves. Using the audit logs already in your tenant, you’re able to look back in time and see what was going on weeks or months before the person left. Now, Insider Risk Management offers active directory integration with alerts from a Data Loss Prevention (DLP) policy. Traditionally, it was challenging to set up a DLP policy. But now, Microsoft has added a built-in triggering event so you can kick off the policy wizard and set up the procedure with five clicks. This will scan your environment, detect a risky exfiltration, and activate the scoring for that policy. You can also use SysKit Point, a governance and security tool, to set up custom security alerts. You can fine-tune the alerts to show you actions of specific people, such as former employees. Sometimes, you need visibility into things that occur outside of your tenant. For this, you have Microsoft Cloud App Security (MCAS). MCAS gives you visibility into third-party cloud signals. For example, it can track failed logins to a 3rd party web service like Amazon’s AWS. It can then track files that are taken out of SharePoint. Even if the employee changes the file’s name and then sends them to Dropbox, it can track it. It allows you to put the pieces together and then take action. Together, MCAS and Insider Risk Management can show you the value of the correlation of multiple seemingly independent events. You can then piece together several different events and recommend action to the person who needs to make a decision. When HR and legal work together The new HR connector allows Insider Risk Management to know the resignation and term dates for employees. HR can also share other disgruntlement indicators like performance improvement plans and poor performance indicators. By collaborating with HR and legal, security personnel can look at insider risks from a different lens. HR can help ensure the proper security precautions do not negatively impact the morale of the company or hinder the company culture. You can also work with your legal department to ensure you follow employment law while protecting your organization’s valuable intellectual property. Discover, secure, and control M365 Manage your company’s Microsoft 365 ecosystem with Syskit Point, a scalable platform that will help you govern and secure your environment while giving you deep visibility into your entire inventory. Try for free Subscribe to our Newsletter Thank you for joining our community! Related Posts Microsoft 365 security The ultimate security audit guide for Microsoft Office 365 and SharePoint There are many reasons why auditing SharePoint is important, but first and fore… May 10, 2021 49 min read Microsoft 365 management Skeletons in the tenant: Real-life IT admin horror stories As Halloween approaches, we’re all eager for a good scare, but some IT ad… October 30, 2023 5 min read Microsoft 365 security Stories from the sales trenches: How Syskit Point helped enhance Office 365 governance In this blog post, we will focus on a customer from a not-for-profit industry w… January 12, 2022 4 min read