How To Mitigate Insider Data Theft

7 Ways to fight a growing cyber threat in the new remote employee culture

Insider data theft is a sobering thought. As a business owner, you can install specialized antivirus software, train your employees on how to spot a phishing email, and invest in a company that provides superior network monitoring, but none of that will do any good if your enemy is already within your walls.

Now don’t misunderstand. You need to be doing all of those things; I’m not advocating that you skip any of those steps in securing your business (Buzz Cybersecurity offers a free audit to help ensure you’ve got the basics covered), but with an unprecedented number of employees working from home due to the current Covid-19 situation, you need to entertain the possibility that someone in your organization may be willing to steal from you at some point in the future. Or already is. If you have a smaller organization, that can feel like a personal betrayal. Some may not even want to entertain the thought. But the majority of your employees are good, trustworthy people and will thank you for taking these steps because data theft puts their jobs at risk, too.

For the purposes of what we’re discussing in this blog, we’re excluding data breaches that occur accidentally via authorized viewing of data where no information is shared, lost or stolen devices, or malicious attacks coming from outside your company. While costly, they are a separate conversation. If you’d like more information on ransomware attacks, click here. This article is only going to deal with those employees who, for reasons ranging from selfish financial gain to righting a perceived wrong done to them by your company, have made an intentional decision to break the law and shares confidential data with others for the intent of causing harm to an individual or company.

What Can I Do?

1. Evaluate and classify all sensitive data. Most people don’t think like criminals, but for this to work, you have to take a step back and look at your assets objectively. What do you have in your possession that is most valuable if leaked and therefore more likely to be the target of theft? Make a list of what systems hold this information and create a security governance policy to make it harder to access this type of data. Revisit your list at least twice a year to make sure it’s current.
2. Limit the number of people you trust with access to sensitive data, and limit the amount of access they have. In 2018, Tesla learned this the hard way. According to CEO Elon Musk, a disgruntled employee was responsible for making “direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties.” The electric car company decided to forgo limiting the privileged access it allowed it’s employees to have, and according to CNBC, it cost the company a staggering $167 million dollars in damages. And while it’s common sense that no company will ever be 100% safe against these types of attacks, this particular incident is considered unfortunate because it could have been avoided.
3. Give people overlapping shares of trust. This is basically a system of checks and balances. It ensures that no one person has a singular Osterhagen Key that allows them to take out your company. You don’t want to give one person the ability to launch the nuclear warheads, and most employees will appreciate not being put in a position to wield such responsibility or to yield to temptation.
4. Monitor employee activity. No one likes to be Big Brother, but sensible employees will understand the benefits of working from home—namely less money spent on gas, eating out, work attire, not to mention more time to sleep and spend with family—far outweigh the need for companies to monitor for safety. Plus, anything they need to do on a personal level that they don’t want you to be privy to can be done on their PC or phone. Take a proactive approach to detect suspicious behavior when it occurs, rather than waiting for a breach.
5. Establish an acceptable use policy and then educate your employees about it. Having an official corporate policy about what is and what is not acceptable when it comes to using your company’s data. Then make sure all employees go through training that makes them accountable for what they’ve learned. Don’t assume that it’s common sense. And make sure employees know the legal consequences that will be taken should they be caught stealing company information.
6. Establish an anonymous tip line. Peers will often be the first to notice a co-worker’s suspicious behavior. Giving them a means to report unusual or erratic behavior will encourage your employees to come forward, especially if they are assured that they will not be subject to any retaliation because they can remain anonymous. Some may feel that this makes them a snitch, so it’s your job to help themselves realize that they’re actually being a hero, because not only could they be saving your company from financial ruin, but in the process, they’re helping to save their own jobs and the jobs of their friends.
7. Pay attention when an employee leaves your company, even when it’s on good terms. Don’t delay when it comes to terminating all employee accounts. Make sure any access to get back into your facility is revoked, and remove the employee from all access lists. You may be tempted to only do this when an employee is “disgruntled,” but making this a standard operating practice when a person departs your company will ensure that no one slips in through a door that should have never been left open.

Ready to take the next step in protecting your company and your livelihood?

Reach out to us today for a free consultation!