INFORMATION THEFT – THE EMPLOYEE RISK

Information Theft – What is the Risk?

Our research has shown that around 68% of employees will steal information from their employer. This figure jumps to 87% for exiting employees. Running any business mean providing our employees access to sensitive information, but we need to be mindful that access to information comes with a risk, particularly leading up to an employee exit.

What type of Information is Stolen?

What data do we typically see walking out the front door? Senior staff have access to, and may steal, restricted company information; developers steal snippets or large amounts of code; we have also had many cases where call centre operators steal sensitive customer information to take over the customers identify to commit fraud.

Why do Employees Steal Information?

There are many reasons why employees steal information, which include feeling entitled to it, if they had worked on the project or to feather their nest in their next role, outside your company. The catalyst for the theft may be, an employee’s move to a competitor, a dispute with their manager or having just missed out on a promotion. Whatever the reason, one thing is certain, the employee has almost certainly lost loyalty to the company and is now a significant risk.

Does it Matter if Employees Steal Information?

You could argue that there is almost a culture where employees now consider it normal to steal information and employers are unaware of it. Whether it is the few critically sensitive files that are stolen or the wholesale theft of information by many exiting employees, the damage to an organisation can be significant.

In most cases, your competitors will gain an immediate advantage over you. That could be because they get an insight into your pricing models, steal your customers or enable them to accelerate key projects. The loss of the personnel is bad enough, but when your sensitive intellectual property goes with them the damage is even more severe. At worst you may have lost information which could result in a data breach.

What are the Indicators of Theft of Information?

We can often predict an information theft before it happens, based on the behaviour of an employee. Some key risk indicators are when we see an employee suddenly increase the amount of information they are saving to a laptop or a surge in the amount of time they spend on careers sites. You might also see the employee starting to increase the amount of material they print, or they may start to send compressed files to a new web mail account. There are hundreds of these types of indicators, but a known key risk is once an employee resigns.  They are almost certain to steal information at that point. Employees don’t typically trickle data out in a covert fashion; they tend to take information in large chunks in the last one or two weeks in the company. By the time it is discovered, they have already departed the organisation, making remediation activities challenging, if not impossible.

How do Employees Steal Information?

The theft of information is typically unsophisticated with employees using systems they have access to, and are familiar with. It is often right under our noses, but unfortunately the activity is often unmonitored.

The most common vectors for information theft are email and USB. We also see some employees simply printing small amounts of information. Some of the more sophisticated employees will use file sharing applications such as Drop Box, either by installing the application or using a web-based version. The most cunning of employees will try to disguise their activity by using multi-function printers to scan directly to a personal email address or connect their laptops to their home networks to move wholesale amounts of data.

How do you prevent Information Theft?

There are many methods to steal information, many can be blocked, but employees do need access to information to do their job, so completely blocking all avenues is not possible. The key is to be proactive about detecting these damaging events, and to build a culture in your organisation where this type of activity is not ok.

In essence, the solution is to either proactively monitor for the activity, or conduct targeted audits against high risk individuals, such as executives.

Most organisations already have ample system logs which will provide visibility to employee activity. The perceived challenge is; how do you monitor all of those systems effectively? It’s actually not that difficult when you know where and how to look. This is something SECMON1 can help with. We’re happy to provide some tips in this space. When you do monitor effectively, you quickly start to change the culture of the organisation, and these undesirable events happen less often.

Targeted audits are an effective way to detect information theft by high risk employees, such as executives or those known to have access to high value information. Most employees are unaware that almost everything they do on their laptop leaves a trail of digital forensic evidence. Ideally, an audit should be conducted by someone with digital forensics experience prior to the employee officially exiting the business. In that way you will discover if any undesirable activity has occurred, and be able to respond to it.

The time to become proactive is now and not after your organisation has suffered the financial and reputational loss resulting from theft of information.

There are some key questions you should ask yourself, particularly when an employee has just resigned;

– Should I put that person on gardening leave?

– Does the risk of them remaining in their position outweigh the value to the business for the next month?

– Can their access be restricted to mitigate the risk of theft of information for their remaining time in the business?

– Should I conduct an audit of their activity?

– Can enhanced monitoring and alerting be implemented?

– Has the employee signed a legal attestation regarding information to which they had access?