There’s no escaping the fact that employee data theft represents a huge threat to the security of our data. According to the following blog post by techjury.net, 66% of organizations consider malicious insider attacks (or accidental breaches) to be more likely than external attacks – a number that has increased by 47% over the last two years.
In 2020, the total cost of insider threats (related to credential theft) was $2.79 million. Likewise, according to The 2020 Cost of Insider Threats Global Report study from the Ponemon Institute, in just two years, the number of insider threats rose by 47%, and the cost of dealing with these incidents has increased by 31%. Insider threats are notoriously difficult to defend against as the culprits already have access to our critical systems and data, and if (for whatever reason) they decided to use their privileges for malicious purposes, there’s little we can do to stop them.
Why Does Employee Data Theft Happen?
There are many reasons why an employee might choose to steal data. It is often the case where the employee will steal a company’s data in order to sell it, or they might just sell access to the data.
It’s worth noting that an employee will have a better understanding of how valuable your company’s data is than someone from outside of the organization. They also have a better idea of who might want the data. In some cases, they might steal data on behalf of a competitor which they have close ties.
The worst-case scenario is when the employee is working on behalf of a hacking group, which is obviously very dangerous given the amount of damage they can do were they to gain access to your network.
Disgruntled employees are another threat to watch out for, as they have been known to seek revenge after getting fired, or when they failed to get the promotion they were hoping for. In some cases, the disgruntled employee might not have an issue with the organization as a whole, but with a specific individual within the organization.
In which case, they might steal data in an attempt to frame the individual or disrupt their life in some other way. While not technically an employee, we must always be vigilant when working with third-party’s, such as cloud-service providers. After all, an unvalidated cloud provider that has access to your data, and even your network, could do a lot of harm – especially if an external attacker were to compromise the platform.
How to Prevent Employee Data Theft
Protecting your sensitive data from insider threats and data theft is a huge topic, as it encompasses most areas of data security. It’s quite difficult to draw the line between what we would consider to be an insider threat and a threat that originated from outside of the organization.
As with any data security strategy, it’s usually a good idea to start with some basic housekeeping. This includes using an automated solution to discover and classify your sensitive data, and remove any ROT (Redundant, Obsolete and Trivial) data. Knowing exactly what data you have, where it is located, and why you are keeping it, is crucial if you want to keep it secure. It makes it easier to assign the appropriate access controls and monitor access to your critical assets. Below are some other relevant areas that need to be looked into to prevent employee data theft.
The Principle of Least Privilege (POLP)
Make sure that users only have access to the data they need to carry out their role. Restricting access permissions is a crucial part of any data security program as it limits the amount of damage that can be caused by both a rogue employee or external attackers, and also makes it easier to identify the cause of the incident.
Disable/block access
It might be a good idea to exclude employees from the Administrator group on their computer in order to prevent them from installing malicious applications and downloading data onto a USB stick, SD card or some other type of portable storage device. It’s generally a good idea to provide employees with “thin clients” that don’t have any built-in storage capabilities as this will not only make it harder for a malicious employee to walk off with your data, but will also prevent them from installing malicious software. You should also block websites that allow online screen recordings as this can be another way for a rogue insider to steal data.
Recognize red flags
Given that there are potentially hundreds of red flags to look out for that might suggest that someone is stealing your data, a full list is beyond the scope of this article. However, the sort of events you should look out for might include;
- Copying/moving/deleting files at an unusual rate
- Uploading/downloading files to/from the corporate network at an unusual rate
- An employee using Private Browsing mode and/or The Onion Router (Tor)
- A machine accessing unusual IP addresses or ports
- An employee sending emails to their personal email accounts
Deploy software to monitor and prevent access
In order to be able to identify red flags you must deploy the necessary software that gives you real-time visibility into who is accessing what critical data, and when. Most real-time auditing solutions allow you to detect and respond to events that match a pre-defined threshold condition. For example, if X number of files have been downloaded within a given time frame, a custom script could be executed to disable the relevant user account until the incident has been investigated. You should also use an intrusion prevention system (IPS) that is capable of real-time traffic analysis and packet logging to help you identify and respond to any suspicious outbound network traffic, which might suggest that an employee is trying to run off with your database.
Employee off-boarding
Many companies fail to consider the procedures that should be carried out when an employee leaves the organization. An extensive list of such procedures is beyond the scope of this article, however, below are some common tasks that will need to be carried out once an employee’s contract has been officially terminated.
- Disable all relevant user accounts and forward the employee’s emails and voicemail to their manager.
- Terminate VPN and Remote Desktop access for the employee.
- Change passwords on all shared accounts the user had access to.
- Remove the user from email group lists, distribution lists, internal phone lists, and websites.
- Retrieve or disable all company-owned physical assets (laptops, phones, tablets, etc.) assigned to the user, and update the IT inventory.
- Copy all needed local data from the employee’s computer to the manager’s one.
- Change any access codes the user knows, such as PINs for accessing secured rooms.
- Inform company staff that the user is no longer employed there.
It is important to ensure that each individual is aware of their responsibility when it comes to keeping an eye on how their fellow employees are behaving. It would be a good idea to introduce a system that allows employees to anonymously report suspicious behavior. Finally, it’s worth noting that no data loss prevention strategy is 100% effective, and so it is necessary to have a tried and tested incident response plan (IRP) in place.
If you’d like to see how the Lepide Data Security Platform can help you prevent employee data theft by giving you visibility over anomalous user behavior, schedule a demo with one of our engineers.