Employee Data Theft: How to Mitigate the Risk

Picture your IT infrastructure as a castle that houses your most critical data. Just a few years ago, the best way to defend those “crown jewels” was to build a virtual moat around the perimeter of your castle.

Times have changed though, and firewalls and intrusion-detection systems aren’t enough to keep company data safe. Businesses still spend billions of dollars a year on these systems to try to protect their confidential data from being hacked, but today, the threat is often already inside the castle. Employee data theft is a real — and rising — risk.

  • According to Verizon’s 2020 Data Breach Investigations Report, 30% of security breaches come from malicious That’s almost one out of every three incidents caused by your own people, and the number is going up.
  • The Ponemon Institute’s 2020 Cost of Insider Threats Global Report revealed a 47% increase in the number of insider-generated cyber security incidents in the past two years.
  • Approximately 62% of incidents come from negligent insiders, with another 23% coming from internal credential thieves and 14% from criminal insiders.

Moreover, the cost of cybersecurity incidents is increasing as well, rising 31% since 2018. According to Ponemon, insider threats now cost companies an average of $11.5 million per year. These expenses are the result of compliance failures, legal penalties, damage to the organization’s reputation, and more. Sometimes, these insider incidents can lead to loss of the entire business, small or big.

The key question is, why is it so hard to protect mission-critical data?

Part of the answer is that many modern IT architectures are hybrid or borderless. Sensitive information isn’t stashed away in the castle’s dungeon; it’s stored in the cloud or spread across multiple systems and applications, where it’s more vulnerable. Also, the growing popularity of BYOD and the complex permissions structures of applications like SharePoint Online often leave IT teams with no clue exactly what data insiders have access to and how they use it. Finally, too many organizations still treat data security as a set-it-and-forget-it thing rather than a process of constant review and adjustment.

Employee Data Theft: The Motives Behind It

These days, almost all sensitive data is stored electronically, from confidential trade secrets to customers’ personal information to employee records. Employees need access to certain bits of that data to do their jobs. Unfortunately, some of them believe that if they work with particular data every day, it belongs to them and they have a right to take it along when they leave the company. Others know that doing so constitutes stealing, but they take the data anyway.

Motives for data theft vary widely but include the following:

  • Setting up a competing business
  • Selling confidential information on the black market
  • Taking revenge on the employer

More broadly, corporate data theft cases can be divided into the following categories:

Data Theft Driven by Malicious Intent

Employees with malicious intent often exhibit unusual behavior. For example, they might access files they haven’t looked at before, copy a large number of files, or forward important emails to their personal mailboxes in order to sell this information later or use it to blackmail the employer. Admins with privileged rights might make critical changes without authorization in order to gain the permissions they need to steal critical information. Any of these actions could be a sign of privilege abuse potentially leading to data theft or fraud.

Example: The Popcorn Incident

For example, in March of 2019, Garrett Popcorn Shops fired its director of research and development. When the employee, Aisha Putnam, received word of her impending termination, she allegedly stole more than 5,400 sensitive files, including highly protected information about the company’s popcorn recipe. A competitor who purchased this information could potentially offer Garrett’s famous popcorn at a lower price, putting the company’s revenue stream at immediate risk.

Example: The Tesla Theft

Another example of malicious intent centers on former Tesla engineer Guangzhi Cao, who admitted in 2019 to uploading sensitive source code to Autopilot, Tesla’s proprietary driver assistance system, to his personal accounts. The admission came after Tesla sued Cao for stealing Autopilot-related trade secrets and bringing them to his new employer, Xiaopeng Motors (XMotors) of China.

Cao claims that he deleted all Autopilot-related intellectual property from his files when he left Tesla to accept employment at XMotors. However, Tesla argues that the design specs for XMotor cars are similar to Tesla’s and views the alleged malicious employee data theft as a major threat to their market position; over the past year, Tesla has continued to demand related documentation from XMotors.

Data Theft without Malicious Intent

Insiders don’t always act with malicious intent when they put company data at risk. In some cases, users copy files to their personal devices so they can use those files for a project, without even realizing that they’re doing something illegal and dangerous. Even if the users would never misuse the data they copied, the data can more easily be obtained by bad actors, increasing the risk of the company falling victim to a data breach. To prevent sensitive data from becoming jeopardized, IT teams need to ensure these kinds of actions can’t slip under their radar.

Example: Homeland Security Records

In 2018, the Department of Homeland Security (DHS) issued a notification to current and former employees that it had discovered an unauthorized copy of a database in use by the Office of the Inspector General. Close to 250,000 DHS personnel records were exposed, as were records of individuals involved in DHS investigations.

Authorities believe that stealing information was not the intent behind the transfer, but there was still a risk that the information had fallen or would fall into malicious hands. For that reason, the DHS added further cybersecurity precautions to its systems and offered 18 months of credit monitoring and identity protection to those affected.

Data Theft as a Result of Data Misuse

An employee can easily and unknowingly engage in data misuse that leads to data loss. Common situations include accidentally attaching the wrong sensitive data to an email or sending the right sensitive data to the wrong recipients. Whether misuse is the result of inattention, stress or ignorance of proper workflows, it can easily result in just as much damage as the other types of data theft.

Example: Accidental HIPAA Violations

HIPAA is a complicated system intended to safeguard patients’ highly personal data. Restrictions are comprehensive and penalties are severe, but healthcare workers are still human and it’s not unheard-of for someone to make a record-keeping mistake.

The HIPAA Journal discusses several potential errors, such as:

  • A fax or email sent to the wrong address, which enables the wrong recipient to view a patient’s data
  • A medical record sent to an authorized recipient, but it’s the wrong patient’s data

These are clear examples of unintentional data misuse. If this sensitive data fell into the wrong hands, the consequences could be devastating for the patients and the associated provider would be left open to lawsuits. To prevent these kinds of incidents and maintain reliable data privacy, healthcare organizations have to implement thorough security policies and monitor employee usage of protected data.

Top 3 most common corporate data theft scenarios

Technology provides many methods for employees to steal data, from copying files to a portable USB storage device to connecting to the corporate email system and transferring sensitive files to a personal iPhone.

Here are the most common data theft scenarios you should be aware of:

  • Compromised accounts frequently turn out to be at the epicenter of data breaches. Hackers gain access to an employee’s account via tactics like spear phishing or brute-force cyber-attacks, or by simply purchasing credentials on the dark web. Once inside your network, they can lurk for months, looking for sensitive data to steal. Accounts with high-level privileges are especially valuable targets for external attackers, since they can be used to gain access to resources not available to most users.
  • Third parties who are granted access to your sensitive information for a limited time might want to leverage the opportunity to steal data. What’s worse, all too often, contractors are onboarded in such a rush to meet a deadline that IT does not take the time to determine exactly what resources they should have access to. Instead, IT teams grant users far more access than they need to do their jobs — or even give them an admin account.
  • Departing employees have become one of the top data theft threats. Right before exiting the company, some employees collect all the data that they find valuable, in blatant disregard of any non-disclosure agreements they might have signed. Or IT might leave the user account active even after the termination, giving the now-ex-employee an even bigger window to steal sensitive data. The employer has no way of knowing how the thief will use the data: take it to a new workplace, sell it to a competitor or just leak it to the internet.

How to Prevent Employees from Stealing Confidential Data

Best Practices

Right about now, you might be ready to jump into buying one or more of the various cyber threat detection tools on the market. But before you do that, it’s important to get a better understanding of exactly what needs your attention. Here are some tips and best practices on how to avoid data theft by ex-employees:

  • Consider Gartner’s CARTA approach. By understanding the changing risk landscape and placing only the trust appropriate at a given time in your employees, you can limit the damage any user can do.
  • Recognize that there’s no single breakthrough pill that can beat all threats to your data. You need a set of reliable products, each with specific functionality.
  • Know what data you need to protect. Discover and inventory your sensitive information so you can develop baseline patterns in user activity related to those data storages and spot anomalous actions that could be threats.
  • Establish data security governance policies for the entire organization. Be sure that they focus on identifying and mitigating the risks to data security, and also are aligned with business needs.


Once you have a picture of what steps you need to take, you need the right technologies to bring your strategy to life. As a starting point, we’ve put together two sample toolkits — essential and advanced — that can help you perform routine monitoring and management tasks across your IT ecosystem, as well as detect and reduce potential threats (like employee data theft).

The essential toolkit includes a few basic technologies that are handy in mitigating the risk of employee data theft:

  • Basic rules and policies are your first line of defense. For example, consider isolating emails sent to personal email accounts, prohibiting storage devices such as USB thumb drives, enforcing the least-privilege principle, and monitoring all changes to privileged group membership. Require password protection for all of your systems and computers, and ensure that each user chooses a strong password.
  • A process for revoking privileges upon user termination according to best practices (provided it is diligently followed across your organization, of course) will help you ensure that no departing employees retain any access to your IT infrastructure when they are no longer in the game.
  • Auditing software solutions with log collection and reporting functionalities are must-have for staying on top of user activity. For instance, they will help you pinpoint who read what sensitive data, or how many times a specific user tried to access a shared mailbox and what exactly they did there. Integrated data loss prevention (DLP) capabilities will help you identify sensitive data and ensure it is not sent outside the organization without your notice by securing web and email gateways, encrypting emails, securing cloud access and more.

The advanced toolkit is for organizations that have a mature security posture and need more capabilities than the essential toolkit offers:

  • Identity and access management (IAM) technologies enable you to improve information security, optimize workflows, reduce errors and streamline compliance — all while covering the vast majority of identity-related issues, including compromised accounts, identity theft and data theft.
  • Privileged access management (PAM) helps you ensure that administrators and other privileged users have only the permissions they need at any given time to do their jobs, and to centrally monitor the activity of those users.
  • Cloud access security brokers (CASBs) improve data security in the cloud by delivering visibility into user activity and notifying admins about suspicious actions that could indicate data theft by insiders or an external attack.
  • UEBA or SIEM solutions with user behavior analytics help you identify suspicious user activity in your on-premises environment, so you can take the necessary measures to reduce risk before data theft For hybrid environments, coupling a UEBA or SIEM with a CASB yields top-to-bottom visibility.
  • Employee monitoring works like a surveillance camera, tracking all employee activities, including what data they read, which files they copied, what recipients they sent emails with critical data to, who they talk to on the phone, and more.
  • Data discovery and classification solutions help you identify what data you have, determine which of it is highly sensitive and analyze how this data is used, so you can reduce risks such as insider data theft.
  • Security services, such as penetration testing, can simulate an attacker exploiting vulnerabilities across your environment, and then guide you about how best to choke off the attack. If you don’t have an advanced security team on staff, security services provided by third-party experts can be very valuable.
  • Enterprise DLP solutions enable you to incorporate more sophisticated data protection techniques and minimize the risk of data being lost at your endpoints with centralized management, support for advanced policy definition, and event management workflows and reporting.
  • Other data protection technologies can vary from a particular capability in a single solution to a set of tools with blocking, encryption, tokenization and data masking functionality.

In today’s digital world, your organization’s most important assets are easier than ever for employees to steal, and more and more employees are admitting to such theft. Following best practices and taking advantage of the right technologies is essential to protecting your organization’s crown jewels.

Michael is a former Product Manager in Netwrix. As a PM, his main focus was User Behavior Analytics technology and insider threats mitigation strategies.