Our research has shown that around 68% of employees will steal information from their employer. This figure jumps to 87% for exiting employees. Running any business mean providing our employees access to sensitive information but we need to be mindful that access to information comes with a risk, particularly leading up to an employee exit.

What type of Information is Stolen?

What data do we see walking out the front door? Typically, senior staff tend to take restricted company information, developers steal snippets or large amounts of code and we have had many cases where call centre operators steal sensitive customer information to commit fraud.

Why do Employees Steal Information?

There are many reasons why employees steal information, which includes feeling entitled to it, if they had worked on the project, or to feather their nest in their next role outside your company. The catalyst for the theft may be, an employee’s move to a competitor, a dispute with their manager or having just missed out on a promotion. Whatever the reason, one thing is certain, the employee has almost certainly lost loyalty to the company and is now a significant risk.

Does it Matter if Employees Steal Information?

You could argue that there is almost a culture where employees now consider it normal to steal information. Whether it is the few sensitive files that are stolen or the wholesale theft of information by many exiting employees, the damage to an organisation can be significant.

In most cases, your competitors will gain an immediate advantage over you. That could be because they get an insight into your pricing models, steal your customers or enable them to accelerate key projects. The loss of the personnel is bad enough, but when your sensitive intellectual property goes with them the damage is even more severe. At worst you may have lost information which could result in a data breach.

What are the Indicators of Theft of Information?

Using SECMON1’s ShadowSight™ we can often predict an information theft before it happens, based on the behaviour of an employee. Some key risk indicators are;

  • an increase the amount of information they are saving
  • a decrease in performance (don’t get even get lazy as we sometimes call it)
  • a surge in the amount of time they spend on careers sites
  • a change to holiday patterns or work hours

You might also see the employee starting to increase the amount of material they print, or they may start to send compressed files to a new web mail account. There are hundreds of these types of indicators, but a known key risk is once an employee resigns, they are a very high risk to steal information. Employees don’t typically trickle data out in a covert fashion, they tend to take information in large chunks in the last one or two weeks in the company. By the time it is discovered, they have already departed the organisation, making remediation activities challenging, if not impossible.

How do Employees Steal Information?

The theft of information is typically unsophisticated with employees using systems they have access to, and are familiar with. It is often right under our noses, but unfortunately the activity is often unmonitored.

The most common vectors for information theft are email and USB. Some of the more sophisticated employees will use file sharing applications such as Drop Box, either by installing the application or using a web-based version. The most cunning of employees will try to disguise their activity by using multi-function printers to scan directly to a personal email address or connect their laptops to their home networks to move wholesale amounts of data.

What not to do

The answer is never an endpoint detection agent alone. While it may appear to be the panacea to the Insider Threat challenge, a technical solution alone will not solve the issue. The problem with a technical only solution is that it typically generates large volumes of false positive which never decrease. Can your security team cope with reviewing tens of thousands of alerts a day, or will they simply ignore them as most team do?

How do you prevent data theft?

There are many methods to steal information, many can be blocked, but employees do need access to information to do their job, so completely blocking all avenues is not possible. The key is to be proactive about detecting these damaging events, and to build a culture in your organisation where this type of activity is not ok.

In essence, the solution is to proactively monitor the activity of all employees, and to be able to refine that monitoring as the business, users and trends change.

Most organisations already have ample system logs which will provide visibility to employee activity, on a reactive basis. The perceived challenge is; how do you monitor all of those systems effectively? It’s actually not that difficult when you know where and how to look. This is something SECMON1 can help with. We’re happy to provide some tips in this space. When you do monitor effectively, you quickly start to change the culture of the organisation, and these undesirable events happen less often.

The time to become proactive is now and not after your organisation has suffered the financial and reputational loss resulting from theft of information. Ask about SECMON1’s ShadowSight™ today. It is an innovative solution with a proven track record of solving the insider threat challenge.

Some key points

There are some key questions you should ask yourself, particularly when an employee has just resigned;

  • Should I put that person on gardening leave?
  • Does the risk of them remaining in their position outweigh the value to the business for the next month?
  • Can their access be restricted to mitigate the risk of theft of information for their remaining time in the business?
  • Can enhanced monitoring and alerting be implemented?

Has the employee signed a legal attestation regarding information to which they had access

Christopher McNaughton

Strategic Advisor, ShadowSight

Who is Christopher McNaughton

Chris is a proficient problem solver with a strategic aptitude for anticipating and addressing potential business issues, particularly in areas such as Insider Threat, Data Governance, Digital Forensics, Workplace Investigations, and Cyber Security. He thrives on turning intricate challenges into opportunities for increased efficiency, offering pragmatic solutions derived from a practical and realistic approach.

Starting his career as a law enforcement Detective, Chris transitioned to multinational organisations where he specialised and excelled in Cyber Security, proving his authority in the field. Even under demanding circumstances, his commitment to delivering exceptional results remains unwavering, underpinned by his extraordinary ability to understand both cyber and business problems swiftly, along with a deep emphasis on active listening.

What is ShadowSight

ShadowSight is an innovative insider risk staff monitoring tool that proactively guards your business against internal threats and safeguards vital data from unauthorised access and malicious activities. We offer a seamless integration with your current systems, boosting regulatory compliance while providing unparalleled visibility into non-compliant activities to reinforce a secure digital environment. By prioritising actionable intelligence, ShadowSight not only mitigates insider threats but also fosters a culture of proactive risk management, significantly simplifying your compliance process without the overwhelming burden of false positives.