Employee Data Theft

When most of us think about a cybercriminal, we usually think of a person from home, and probably not in your own country. But did you ever consider that a hacker could be inside your own organisation?

While most business owners assume that attacks on their company, data, website or operations are from outside the organisation, insider threats are a common risk to organisations. Covid19 with the impact on people’s livelihoods, reduced hours, financial resolve may (& I stress may) contribute to why there is the potential for employees to act illegally or at least unethically. Disgruntled employees sometimes cut the emotional ties that hold them to their jobs and become malicious insiders and commence thoughts on how to gain from illicit behaviour for financial gain.

According to the 2020 Cost of Insider Threats Global Report by the Ponemon Institute, insider-related incidents have increased by 74% over the last two years. During this time the average global cost of insider threats rose by 31% to $11.45 million.

The 2020 Insider Threat Report by Cybersecurity Insiders, the biggest enabler of insider attacks is the fact that in 61% of incidents the perpetrator had elevated access to sensitive data and applications.

An insider attack is a malicious attack executed on a network or a computer system by a person with authorised system access. They have the knowledge on how the systems works, at times how the security is configured on a wholistic scale (antivirus, email filtering, reporting) and may also be familiar with the systems procedures/policies.

The Shopify hack in September is an illustration of this type of cyber-attack. The organisation’s own employees breached the network. Shopify determined two rogue members of their support team orchestrated the violation and was not caused by a technical vulnerability in the Shopify platform.

Some insider threats are purely accidental, but that’s not what we’re talking about here. These are intentional acts, not employee error. Recent research conducted by the Ponemon Institute revealed that malicious insider threats are three times more costly than incidents caused by negligent employees.  They know where the data is contained, understand the potential cost or benefit to the company of the data. Typically they are in & out with in a short period of time.

The key question is, why is it so hard to protect mission-critical data?

Part of the answer is that many modern IT architectures are hybrid or borderless. Sensitive information isn’t stashed away in the castle’s dungeon; it’s stored in the cloud or spread across multiple systems and applications, where it’s more vulnerable. Also, the growing popularity of BYOD and the complex permissions structures of applications like SharePoint Online often leave IT teams with no clue exactly what data insiders have access to and how they use it. Finally, too many organisations still treat data security as a set-it-and-forget-it thing rather than a process of constant review and adjustment.

Employee Data Theft: The Motives Behind It

These days, almost all sensitive data is stored electronically, from confidential trade secrets to customers’ personal information to employee records. Employees need access to certain bits of that data to do their jobs. Unfortunately, some of them believe that if they work with particular data every day, it belongs to them and they have a right to take it along when they leave the company. Others know that doing so constitutes stealing, but they take the data anyway.

Motives for data theft vary widely but include the following:

• Setting up a competing business
• Selling confidential information on the black market
• Taking revenge on the employer

More broadly, corporate data theft cases can be divided into the following categories:

Data Theft Driven by Malicious Intent

Employees with malicious intent often exhibit unusual behaviour. For example, they might access files they haven’t looked at before, copy a large number of files, or forward important emails to their personal mailboxes in order to sell this information later or use it to blackmail the employer. Admins with privileged rights might make critical changes without authorisation in order to gain the permissions they need to steal critical information. Any of these actions could be a sign of privilege abuse potentially leading to data theft or fraud.

Example: The Tesla Theft

Another example of malicious intent centers on former Tesla engineer Guangzhi Cao, who admitted in 2019 to uploading sensitive source code to Autopilot, Tesla’s proprietary driver assistance system, to his personal accounts. The admission came after Tesla sued Cao for stealing Autopilot-related trade secrets and bringing them to his new employer, Xiaopeng Motors (XMotors) of China.

Data Theft without Malicious Intent

Insiders don’t always act with malicious intent when they put company data at risk. In some cases, users copy files to their personal devices so they can use those files for a project, without even realising that they’re doing something illegal and dangerous. Even if the users would never misuse the data they copied, the data can more easily be obtained by bad actors, increasing the risk of the company falling victim to a data breach. To prevent sensitive data from becoming jeopardised, IT teams need to ensure these kinds of actions can’t slip under their radar

Protecting against insider threats in cybersecurity is one of the top concerns that businesses are facing today. Breaches are inevitable in today’s business climate, and unfortunately, internal threats are on the rise. Awareness and vigilance are important; however, you need to also mitigate your risk exposure to vulnerabilities that lurk within your organisation