Data theft and insider threats are a significant problem for organizations of all sizes. Most employees have access to documents and information that they themselves created, and many have access to the data that they did not create personally.
Who are Insider Threats?
In general, your insider threat is anyone who directly or indirectly has access to the client base, reports, financial information. In fact, anybody: hackers, competitors, and so forth can be a threat. However, the main cause of data loss in the enterprise is through insiders.
Many blame the system administrators as they hold the keys to the kingdom. Aq sysadmin can inflict the heaviest technical damage and do it in the most sophisticated way, but it is rather a businessman or salesman who will sell the data to competitors or in general on the open market. Salespeople know better what to sell and who needs the information, what data is interesting to external agents, and what is just a worthless set of figures.
So, in the end, the financial damage from the system administrator is not so great (especially if you have had backups, for example, made by another administrator, an outsource company, a vendor, or the general manager himself.)
Insiders are not necessarily existing employees who turn up at work at 9 am on a daily basis. These include former employees, relatives of the existing ones, partners, employees in distant branch offices, customers with access to information, contractors, suppliers, consultants, and coaches. Moreover, it can be employees of absolutely any level. They range from top managers to junior tech support reps.
Here are some signs that you have insider data loss.
- Mass export of customer data or leads in any form. This can be as normal as copying to external media, printing out, sending large volumes of emails or large size emails, copying to cloud storage, etc. Such behavior can typically be found in the logs of the CRM-system, as well as in IT monitoring systems like your SIEM.
- Work productivity slows. An employee who knows he will soon leave the organization, tend to slow down quite a bit in his last days at work since he knows that all the deadlines and reports for the current month will be dealt with when he has left the company.
- Unusual data organization and file cleaning If an employee who has not shown zeal in cyber-cleaning, suddenly starts putting files in order cleaning, copying the work done by him, removing important documents and disabling access to his shared folders, means he is preparing to quit very soon.
- Sudden, unusual and unmotivated long hours and turning up at work during weekends. If an employee has almost never worked beyond the office hours and suddenly starts to linger at work or ask for access to the office for the weekend, it is worthwhile to keep an eye on him.
How can data slip away?
Not always does the data flow away because of malicious activity, but most often one has to think about the worst. Here are three main data routes outside the company’s servers.
- Incidentally. Employee have access to dozens of resources and tools: network storage, devices, cloud storage, and corporate systems. It is impossible to track where every file goes.
- A false sense of ownership. The employee thinks that everything he has belongs to him. This is a very common judgment, which lies at the root of most problems. What is usually quickly forgotten is the fact that employees were hired to do a job and the salary pays for it.
- Malicious intentions. An insider finds a way to do harm to the company and steal data by way of revenge, switching to competitors, the desire to blackmail the CEO, etc. As a rule, such actions always end up in court. And remember: if you have hired a manager with customer base taken from their previous job, expect that they will just let you down in the same way.
What happens if you have an insider steal data?
If data loss via insider occurred, the main thing is to be restrained, reasonable and act as quickly as possible. Consider the following steps to protect your organization.
- Prepare a plan for how you will investigate the incident. Consult with lawyers or IT security personnel (if you have these), find out what documents are needed to initiate a legal case. Try to do everything, so that information about the detection of the offense does not scatter around the company. Otherwise, the offender will have time to cover up tracks, disappear or even return everything just as it was before and as if he has nothing to do with that.
- Identify the location of the data breach, find out what information, in what amount and through what channels could have been transferred. Change the protection system, passwords, change the account rights and privileges, and restore backups.
- Identify the purpose of the theft to minimize the negative consequences. Try to find out who ordered and received your information, build the chain of participants in the offense. If the data has not been transferred away, start approaching the employee so that he does not have time to transfer the data to the final destination.
- Quickly collect all possible evidence: emails, browser history, conversation records, CRM system logs, ITSM system logs, and records of employee actions on the PC.
- If the information has to do with your external partners, suppliers and other interested parties, immediately inform them about the incident, so that they, for their part, could also minimize the risks, or even help in the investigation (but if the guys were involved, they might try to prevent you from finding the truth.)
- Once you understand that you have a bag of evidence and collected all the necessary information, immediately cut off all employee’s retreat possibilities and haul him on the carpet. The more actively you attack and provide the proofs, the quicker the insider will realize the seriousness of his situation and the level of his misdoing and possibly reveal the cards.
Next, discuss the ways on how to return data and correct the situation. Perhaps, the employee himself will tell what to do in the framework of those motives that moved him. Encourage the employee to cooperate in a pre-trial way, conclude a pre-trial agreement with him, clearly discuss the substantial penalties for any possible insider activity after his dismissal from the company.
If necessary, make the process public, notify authorities, and close the security holes.