I'm dealing with a situation involving a senior IT technician who has been with the company for over 20 years. He recently returned from a long sick leave and was found handling some CDs that contained harmful malware (specifically mimikatz), which raised several red flags. After further investigation, it turns out he has been flagged for trying to access a honeytoken device and has various malware files, including a keygen and suspicious system file modifications. While we've scanned his PC, only a VBS script was detected. I'm concerned about whether he unknowingly downloaded these things, or if he's actually been malicious. I want to conduct a proper review with him, but I'm unsure how to approach it and what specific questions I should ask to get to the bottom of this situation.
1 Answer
It sounds like you need to follow your organization's run book for dealing with these types of issues. If one of your policies is to take clear action when there's evidence of malware, then stick to that. The employee's long tenure doesn't allow him to escape accountability for potential security risks. If you don’t have a solid policy already, that’s the real problem here, not just this employee.
I see what you mean. If only we had that policy in place from the start!