8 Recommendations for Managing Insider Risk During Employee Offboarding

GPSG’s Cybersecurity Team recently had the privilege of exploring how to manage insider threat risk during employee termination with Dr. R. Scott Shumate, President of Valutare. Dr. Shumate served in the U.S. Intelligence Community for 28 years and has a doctorate in clinical psychology from the University of Denver. His areas of expertise include Foreign Intelligence operations, Counterintelligence, and Counterterrorism. He also served as a Senior Executive with the Department of Defense in charge of behavioral sciences. Dr. Shumate is the primary architect of Clairvoyance, an early warning insider threat software program that monitors risk by evaluating changes in motivation and context.

The deadly shooting at Henry Pratt Co. in Aurora, Illinois last month reminds us to carefully consider how to manage insider threat risk during employee termination. Although not all employees who are let go engage in harmful actions, it is prudent to evaluate your company’s defensive posture for preventing a physical security incident.

Gary Martin shot and killed five co-workers, including the Human Resources (HR) Manager, and injured five police officers on the day he was terminated. Ironically, Martin’s gun permit had been revoked five years prior after a background check turned up a prior felony conviction, but his gun was not seized by authorities.

Martin’s conviction did not appear in two previous background checks, omissions that allowed him to obtain a FOID card and purchase a gun. Even if Martin was not in the national database for previous criminal activity, what if his direct supervisor or co-workers or suspected an issue? What could have happened differently to save the lives of five precious people?

What Can We Learn from Aurora About How to Prevent Insider Violence?

Martin self-identified an issue controlling his temper to a court psychiatrist in 1995. Perhaps Martin’s team or supervisor saw reflections of that prior to the shooting that could have been reported for investigation.

We may never know what exactly happened in this case or what might have prevented it. However, we can seek to learn from it as we move forward with our insider and security risk management programs.

We lack specific insights into all aspects of the Aurora shooting. However, the tragedy reminds us of the importance of a few critical insider threat risk management areas, including:

Active Shooter Training: Henry Pratt employees followed active shooter protocol during the incident. This type of training may have saved lives at the manufacturing plant that day.

Continuous Screening and Background Checks: A pre-hire background check on Martin 15 years ago did not surface his prior felony conviction. In addition, he was arrested six times over the years for traffic and domestic battery-related issues, among other reasons. Most companies screen new hire candidates before they are offered employment. However, very few companies re-screen employees after onboarding.

Termination Policy & Procedure: Henry Pratt leadership assumed that it lacked protocol for HR to follow when terminating an employee if a situation were to escalate into violence. Establishing and then updating all insider threat policies is a key pillar of a risk management program.

Physical Security: Henry Pratt had security cameras on the outside of the building, but not on the inside. We cannot assume that cameras will deter all actors, but they may be worth considering as an unfavorable behavior deterrent for some employees.

Insider Threat Awareness Training and a Reporting Channel for Suspicious Activity: We lack information on whether the company trained its workforce on what signs to look for and what steps to follow if they witnessed a team member exhibiting concerning behavior. In addition, an anonymous reporting channel provides employees that might not otherwise report suspicious behavior the opportunity to serve as the company’s first line of defense for insider threat risk.

Managing Risk During Employee Termination

There are multiple best practices for managing insider threat risk. However, the following actionable recommendations are specific to managing risk during employee termination.

1. Develop and/or Review Your Termination Procedure: How will you communicate the termination procedure company-wide? Ensure that HR, senior leadership, and the firing component are communicating and working from the same checklist. For example, who will ensure that IT turns off the employee’s computer accesses? Who will be responsible for ensuring that the employee returns any badges, keys or company property (e.g., laptops, mobile phones)? Who will ensure that badge accesses are terminated?
2. Train Termination Stakeholders: After your company’s termination procedure is up to date, provide training for stakeholders to rehearse their response if a situation turns violent when firing an employee. This ensures that all parties are on the same page and helps individuals understand what their role is to deter or de-escalate a violent situation.
3. Demonstrate Compassion: Be respectful when terminating an employee. Oftentimes, management has several people in the room when they fire someone. Situation dependent, it may be easier for the employee to be placed in a less face losing position by having fewer people in the room. Pre-termination leadership discussions should include all relevant stakeholders. However, the termination meeting itself may not require each stakeholders’ presence.
4. Provide a Dedicated EAP Representative: It is important not to have EAP in the termination meeting. Rather, EAP should be available immediately afterward. This allows the employee to vent and explore next steps for moving forward. Let the former employee know that EAP will follow-up with them to see how they are doing. This provides company leadership insight on how the former employee is doing and contributes to the overall risk assessment. In addition, offer the terminated employee counseling and services (e.g., resume writing, outplacement services, etc.) to help them find another position.
5. Conduct an Insider Threat Risk Assessment and/or Use a Risk Assessment Tool: Ensure that an assessment includes an objective review of insider incident management during termination procedures. An assessment also helps your organization identify any gaps in physical, human, technology, or process controls and provides actionable recommendations for managing insider threat risk. Tools should provide insights on the likelihood that an employee may engage in violent behavior leading up to, during, or post-termination. In addition, risk assessment tools that consider employee motivation (e.g., Clairvoyance) may provide early warning that allows for detection and intervention before violence occurs.
6. Take Additional Physical Security Measures: Consider changing vehicle parking placards, door lock combinations, or badges. Monitor outside the workplace area for casing behavior by former employees, especially those that were terminated. Frequently, employees that are upset will demonstrate repeated approach behavior before they follow through with an event. Depending on the size of your organization and security budget, issue new, distinct badges to all employees every two years. This is an alerting indicator if a former employee attempts to gain entry with an out-of-date badge.
7. Seek Updates on Post-Termination Progress: Let the former employee know that EAP will follow-up with them to see how they are doing with forward progression. Further, train your leadership team on what to look for from co-workers who were friendly with the terminated employee. It is likely that there will be one or more current employees that remain in contact with the former employee will openly share insights on the former employee’s adjustment.
8. Remain Alert Post-termination: Remain alert for two years post- termination. A growing body of research suggests that 60 plus percent of individuals are able to adjust within 18 months to emotionally to evocative situations that are perceived as traumatic. However, since there have been workplace violence incidents with employees who were terminated close to two years earlier, we recommend that employers remain vigilant for two years post-termination.

Insider Threat Risk Involving Termination Requires A Multifaceted Approach

Insider threat risk management must be considered leading up to, during, and after an employee is terminated. These tips may not mitigate employee termination risk entirely. Rather, they serve as a launching point for discussion with your leadership team for establishing or updating your employee termination procedures.

Connect with us today at cyberteam@gpsg.co for a free consultation on insider threat risk strategy and executive table top training for insider incident response.