Insider threat

Insider Threat: How to Protect Your Business from Your Own Employees

David Balaban
May 11, 2018 by
David Balaban

It's trite to write that the company's data and customer base are the main assets of any business in the 21st century. However, the attitude to these assets is still careless: a sales manager can steal some part of the database and sell it, as well as sell himself too, as an option. Security in the corporate sphere is limping on both legs. This is happening all over the world, from London to Sydney. Employees and insiders are paying their revenge, making a profit on other people's data, or just doing harm to their former bosses for their own reasons. The frequency of such events makes us stop, think, and sketch out Plan B.

How much is your data worth?

"Well, we have a total of 2000 customers in our database, what a value!", "C'mon, who the heck needs it?" - are the common answers to this question.

Let's see an example of 2000 customers of a transportation company. The statistics say that winning a client in this niche costs 98 dollars. The company invested 196,000 dollars in acquiring those customers, besides that there are also customer service and retention costs. And then the company manager resigns and takes away the client base to the competitors (since the competitor has been looking for an employee with "business contacts," right?) Just for as little as the monthly salary; they got a warm client base. It is enough now to make a discount or a bonus to those clients, and you get their loyalty.

Who is guilty here? The salesman? A sysadmin? No, the owner is guilty, he did not invest in protecting the most valuable asset of their business: the customer base. (Or the second most important asset, because someone will say that the most valuable asset is the people.)

Now imagine what is happening to large companies, they are much more vulnerable because of more intense competition, more professional employees, and more "tasty" data. Companies of different scales are spending millions on external security and IT infrastructure protection, but they are overlooking one of the most insidious threats - the risk of theft of their inner, highly valuable commercial information by their own employees.

Data theft and corruption of corporate insiders is a big problem that needs to be prepared for. Biscom found that 85% of employees have access to documents and information that they themselves created, 30% have access to the data that they did not create personally. In startups, which are usually very vulnerable in terms of new ideas and their first valuable clients, statistics indicates a high degree of connivance: 25% of employees have access to the source code and patent applications, 35% of employees have access to customer base with names, phone numbers and e-mails of customers, 85% have access to (and save for themselves) strategic documents and key business presentations. At the same time, 20% of employees openly stated that they are likely to take the data and give it to their competitors in case of negative circumstances like being fired, and 90% noted that the main reason for data theft during dismissal is the lack of policies and technologies to protect information. Also, practically any company has a system administrator (full-time or outsourced), who has full access to absolutely all corporate data.

Who are they?

So, who are they, corporate data thieves? In fact, anybody: hackers, competitors, and so forth. However, of course, the main role in the theft of corporate information is played by insiders.

There are some opinions that it is the system administrators that are often to blame. However, there is one thing: yes, a sysadmin can inflict the heaviest technical damage and do it in the most sophisticated way, but it is rather a businessman or salesman who will sell the data to competitors or in general on the open market. Salespeople know better what to sell and who needs this information, what data is interesting to external agents, and what is just a worthless set of figures.

So, in the end, the financial damage from the system administrator is not so great (especially if you have had backups, for example, made by another administrator, an outsource company, a vendor, or the general manager himself.)

Insiders are not necessarily existing employees who turn up at work at 9 am on a daily basis. These include former employees, relatives of the existing ones, partners, employees in distant branch offices, customers with access to information, contractors, suppliers, consultants, and coaches. Moreover, it can be employees of absolutely any level. They range from top managers to junior tech support reps. In general, your insider is anyone who directly or indirectly has access to the client base, reports, financial information.

Harold Thomas Martin stole six valuable documents and the computer code from the US National Security Agency (NSA). Martin worked for Booz Allen Hamilton, a consulting firm that provides services and supports the NSA infrastructure. By the way, Edward Snowden once worked there as well.

Verizon 2017 Data Breach Investigations Report (DBIR) reveals an interesting statistics on cybercrime. Except for APT or super-hacker intrusions and old but good DDoS-attacks, there are a lot of problems with passwords, suspicious email attachments, imprudence, and physical theft. 61% of all recorded violations occurred in companies that have less than 1,000 employees. Yes, it is logical: hacking or bribing someone from a small business is ten times easier than someone, for example, from a large retail network. In this case, the customer base can be sold with quite a good profit.

Signs that should alert you

There is a set of indicators that signal you that something has most likely gone wrong.

  • Mass export of information about customers and leads in any form. This can be abnormal copying to external media, printing out, sending large volumes of emails or large size emails, copying to cloud storage, etc. Such behavior can typically be found in the logs of the CRM-system, as well as in IT monitoring systems.
  • Recession of work activity. An employee who knows he will soon leave the organization, tend to slow down quite a bit in his last days at work since he knows that all the deadlines and reports for the current month will be dealt with when he has left the company.
  • "Putting things in order" on the workstation and network folders. If an employee who has not shown zeal in cyber-cleaning, suddenly starts putting files in order cleaning, copying the work done by him, removing important documents and disabling access to his shared folders, means he is preparing to quit very soon.
  • Sudden, unusual and unmotivated long hours and turning up at work during weekends. If an employee has almost never worked beyond the office hours and suddenly starts to linger at work or ask for access to the office for the weekend, it is worthwhile to keep an eye on him.

How can data slip away?

Not always does the data flow away because of malicious intents, but most often one has to think about the worst. Here are three main data routes outside the company's servers.

  1. Incidentally. Today, during his work, every employee faces a dozen of resources tools: network storage, devices, clouds, corporate systems. It is impossible to track where every file goes. Such leaks are often safe - the data is either lost or ignored by a decent former employee.
  2. False understanding of ownership rights. The employee thinks that everything he has belongs to him. This is a very common judgment, which lies at the root of most problems. What is usually quickly forgotten is the fact that workers were hired to do this job and the salary is paid for it.
  3. Evil intentions - an insider finds a way to do harm to the company and steal data from considerations of revenge, switching to competitors, the desire to blackmail the CEO, etc. As a rule, such actions always end up in court. By the way, dear employers, remember: if you have hired a manager with customer base taken from their previous job, expect that they will just let you down in the same way.

An unpleasant story is associated with the luxury clinic of plastic surgery in Beverly Hills. The famous surgeon Zain Kadri hired an employee who first worked as a driver and translator, and then went on to work with data and phone calls. The employee would take photos on a smartphone of patients' medical records and information about their credit cards. Also, she took unethical photographs of patients before and during surgery. The case is at the investigation stage. The now ex-employee claims that revenge moved her, but there is a version that this case had to do with unfair competition.

It has happened. What should you do first?

If the data leak has occurred, the main thing is to be restrained, reasonable and as prompt as possible.

  • Prepare a plan for how you will investigate the incident. Consult with lawyers or IT security personnel (if you have these), find out what documents are needed to initiate a legal case. Try to do everything, so that information about the detection of the offense does not scatter around the company. Otherwise, the offender will have time to cover up tracks, disappear or even return everything just as it was before and as if he has nothing to do with that.
  • Identify the location of the data leak, find out what information, in what amount and through what channels could have been transferred. Change the protection system, passwords, change the account rights and privileges, restore backups.
  • Identify the purpose of the theft to minimize the negative consequences. Try to find out who ordered and received your information, build the chain of participants in the offense. If the data has not been transferred away, start approaching the employee so that he does not have time to transfer the data to the final destination.
  • Quickly collect all possible evidence: emails, browser history, conversation records, CRM system logs, ITSM system logs, records of employee actions on the PC.
  • If the information has to do with your external partners, suppliers and other interested parties, immediately inform them about the incident, so that they, for their part, could also minimize the risks, or even help in the investigation (but if the guys were involved, they might try to prevent you from finding the truth.)
  • Once you understand that you have a bag of evidence and collected all the necessary information, immediately cut off all employee's retreat possibilities and haul him on the carpet. The more actively you attack and provide the proofs, the quicker the insider will realize the seriousness of his situation and the level of his misdoing and possibly reveal the cards.
  • Next, discuss the ways on how to return data and correct the situation. Perhaps, the employee himself will tell what to do in the framework of those motives that moved him. Encourage the employee to cooperate in a pre-trial way, conclude a pre-trial agreement with him, clearly discuss the substantial penalties for any possible insider activity after his dismissal from the company.
    When the story is over, make the process public, learn the reasons, draw conclusions, and close the security holes.

For the purpose of creating unmanned vehicles, Uber acquired Otto, a startup with its founder Anthony Lewandowski at the head. By the end of 2017, Uber began to enjoy its leading position in this industry, but at the same time, Waymo, Uber's competitor, sued the company for stealing corporate secrets. It turned out that Lewandowski, the developer and a former employee of Waymo, stole more than 14,000 confidential technical documents, drawings, and other files before he left the company to use them in the same startup that Uber bought. The company faced legal prosecution for using someone else's technology when developing unmanned vehicles and for trying to cover the theft of commercial secrets.


Honestly, there is no 100% protection. There is always room for vulnerable technology or a corrupt person, especially if there is a strong and evil intention to steal someone's information.

However, this does not mean that you need to put up with that. Even the slightest prevention measure reduces risks.

Here is a small checklist of measures that will allow you to protect corporate information.

  • Prepare policies with a clear delineation of access rights for each employee. Workers should clearly and unambiguously understand what information and to what extent they can use.
  • At the stage of hiring, write down separate agreements on non-disclosure, access to information. Possible legal consequences will significantly reduce potential bad intentions.
  • When hiring for an open position, stipulate the rules for the use of equipment, especially the mobile one. For example, prevent the mobile CRM application from working on a personal smartphone.
  • Use specialized software. The client base should better be accumulated and stored in a CRM-system (preferably, hosted on your own server and with the functionality of logging users' actions and events, and with the ability to set access rights.)
  • Monitor employees' activities. No, it should not be paranoia in the form of a CCTV behind your back or keyloggers, but it is necessary to monitor changes in the IT infrastructure and unusual, abnormal events. For example, copying or downloading large amounts of data, active copying or sending files at lunchtime should cause suspicion.
  • Make backups. This advice can be written down in every article on cybersecurity. Making backups is not just a whim, it is a tactic to reduce the consequences of negligence: the online extortioner will not get a penny, because a copy of all the data is there; vengeful admin will fail to make away with your data as backups have been protected; the salesman will not be able to delete the entire customer because the customer base is securely backed up.
  • Develop a BYOD (Bring Your Own Device) policy on using personal devices and gadgets for work and personal purposes. There was a case when one very large food company forced employees to put their mobile phones in a box for the whole working day. This, of course, is an inflection that reduces the loyalty of employees. However, there must be certain restrictive measures.
  • Make employees come up with strong passwords, ensure complex combinations. Check if the password remains attached to the monitor or lies literally under the keyboard. Use password managers.

As you can see, these tips are very simple, but the pathological greed and lack of control from the side of business owners and managers continue to bring tangible troubles to the business.

David Balaban
David Balaban