How to Mitigate the Risk of Employee Data Theft

Picture your IT infrastructure as a castle where your highly critical data resides. Just a few years ago, to defend those “crown jewels,” you could simply build a moat around the perimeter of the castle. However, times have changed. Businesses still spend billions of dollars a year on firewalls and intrusion-detection systems to try to protect their data from hacking, but often the threat is already inside the castle:  their own employees. Employee data theft can lead to more than the loss of critical information; it can also result in compliance failures, legal penalties, damage to your organization’s reputation and even loss of the entire business.

Why is it so hard to protect data these days?  First, many modern IT architectures are hybrid or borderless, so sensitive information isn’t stashed away in the castle’s dungeon; it’s stored in the cloud or spread across multiple systems and applications, where it’s more vulnerable. Second, the growing popularity of BYOD means IT teams frequently have no clue exactly what data insiders have access to and how they use it. Finally, too many organizations still treat security as a set-it-and-forget-it thing, rather than as a process of constant review and adjustment.

In this post, we’ll dive deep into what employee data theft is, identify the most common data theft scenarios and explore how you can mitigate the risk of employee theft of confidential information across your organization.

Employee data theft: the motives behind

These days, almost all sensitive data is stored electronically, from confidential trade secrets to customer information to employee records and more. Employees need access to certain bits of that data to do their jobs. Unfortunately, some of them believe that if they work with certain data every day, it belongs to them, and they have a right to simply take it along when they leave the company. Others know they are stealing but do it anyway.

The motives for data theft can vary widely: setting up a competing business, selling the information in the black market, taking revenge on the employer and more. But all corporate data theft cases can be divided into the following categories:

  • Data theft driven by a malicious intent. Employees with a malicious intent often exhibit unusual behavior. For example, they might access files they haven’t looked at before, copy a large number of files or forward important emails to their personal mailboxes in order to sell this information later or use it to blackmail the employer. Admins with privileged rights might make critical changes without authorization or approval in order to gain permissions to steal critical information. Any of these actions could be a sign of privilege abuse that could lead to data theft.
  • Data theft without a malicious intent. Insiders can also take actions that put data at risk without malicious intent. For instance, users might copy files to their personal devices in order to use them for a project, without even realizing they are doing something illegal and dangerous. Even if the users would never misuse the data they copied, it can more easily be obtained by bad actors. Therefore, the IT team has to ensure these kinds of actions can’t slip under their radar and jeopardize data security.
  • Data theft as a result of data misuse. Classic examples of data misuse are accidently attaching the wrong sensitive data to an email or sending the right sensitive data to the wrong recipients. Whether the misuse is the result of inattention, stress, or ignorance of proper workflows, it can easily result in just as much damage as the other types of data theft.


Top 3 most common corporate data theft scenarios

Technology provides many methods for employees to steal data, from copying files to a portable USB storage device to connecting to the corporate email system and transferring sensitive files to a personal iPhone.

Here are the most common data theft scenarios you should be aware of:

  1. Compromised accounts frequently turn out to be at the epicenter of data breaches. Hackers often gain access to an employee’s account (via tactics like spear phishing or brute-force attacks, or by simply purchasing credentials on the dark web). Once inside your network, they can lurk for months, looking for sensitive data to steal. Accounts with high-level privileges are especially valuable for external attackers, since they can be used to gain access to resources not available to most users.
  2. Third-parties who have access to your sensitive information for a limited time might want to leverage the opportunity to steal that data. In fact, all too often, contractors are onboarded in such a rush to meet a deadline that IT does not take the time to determine exactly what resources they should have access to, and instead grant them far more than they need to do their jobs, or even give them an admin account.
  3. Departing employees have become one of the top data theft threats. Right before exiting the company, some employees collect all the data that they find valuable, in blatant disregard of any non-disclosure agreements they might have signed. Or IT might leave the user account active even after the termination, giving the now-ex-employee an even bigger window to steal sensitive data. The employer has no way of knowing how the thief will use the data: take it to a new workplace, sell it to a competitor, or just leak it to the internet.

How to mitigate the risk of employee theft of confidential information

Right about now, you might be ready to jump into buying one or more of the various threat detection tools on the market. But before you do that, it’s important to get a better understanding of exactly what needs your attention. Here are some tips and best practices on how to avoid data theft by ex-employees:

  • Consider Gartner’s CARTA approach. By understanding the changing risk landscape and placing only the trust appropriate at a given time in your employees, you can limit the damage any user can do.
  • Recognize that there’s no single breakthrough pill that can beat all threats to your data. You need a set of reliable solutions, each with specific functionality.
  • Know what data you need to protect. Discover and inventory your sensitive information and where it resides, so you can identify patterns in user activity related to that data storage and spot anomalous actions that could be threats.
  • Establish data security governance policies for the entire organization. Be sure that they focus on identifying and mitigating the risks to data security, but also are aligned with business needs.

Once you have a picture of what has to be in place, you need the right technologies to bring your strategy to life. As a starting point, we’ve put together two sample toolkits — essential and advanced — that can help you perform routine monitoring and management tasks across your IT ecosystem, as well as detect and reduce potential threats (like employee data theft).

The essential toolkit includes a few basic technologies that are handy in mitigating the risk of employee data theft:

  • Basic rules and policies are your first line of defense. For example, consider isolating emails sent to personal email accounts, prohibiting storage devices such as USB thumb drives, enforcing the least-privilege principle, and monitoring all changes to privileged group membership.
  • A process for revoking privileges upon user termination according to best practices (provided it is diligently followed across your organization, of course) will help you ensure that no departing employees retain any access to your IT infrastructure when they are no longer in the game.
  • Auditing tools with log collection and reporting functionalities are must-have for staying on top user activity. For instance, they will help you identify who read what sensitive data, or how many times a specific user tried to access a shared mailbox and what exactly he or she did there. If you have a bigger budget, a SIEM solution will be your best bet here.
  • Integrated data loss prevention (DLP) solutions will help you identify sensitive data and ensure it is not sent outside the organization without your notice by securing web and email gateways, encrypting emails, securing cloud access, and more.

The advanced toolkit is for experienced security pros that need more than what the technologies in the essential toolkit have to offer:

  • Identity and access management (IAM) technologies enable you to improve information security, optimize workflows, reduce errors and streamline compliance — all while covering the majority of identity-related issues, including compromised accounts, identity theft and data theft.
  • Privileged access management (PAM) helps you ensure that administrators and other privileged users have only the permissions they need at any given time to do their jobs, and to centrally monitor the activity of those users.
  • Cloud access security brokers (CASB) improve data security in the cloud by delivering visibility into user activity and notifying admins about suspicious actions that could indicate data theft by insiders or an external attack.
  • UEBA or SIEM solutions with user behavior analytics help you identify suspicious user activity in your on-premises environment, so you can take the necessary measures to reduce risk before data theft occurs. For hybrid environments, coupling a UEBA or SIEM with a CASB constitutes top-to-bottom visibility.
  • Employee monitoring works like a surveillance camera, tracking all employee activities, including what data they read, which files they copy, whom they send emails with critical data to, who they talk to on the phone and more.
  • Data classification and discovery solutions help you identify what data you have, determine which of it is highly sensitive and analyze how this data is used, so you can reduce risks such as insider data theft.
  • Security services, such as penetration testing, can simulate an attacker exploiting vulnerabilities across your environment, and then guide you about how best to choke off the attack. If you don’t have an advanced security team on staff, security services provided by third- party experts can be very valuable.
  • Enterprise DLP solutions enable you to incorporate more sophisticated data protection techniques and minimize the risk of data loss at your endpoints with centralized management, support for advanced policy definition, and event management workflows and reporting.
  • Data protection technologies that can vary from a particular capability in a single solution to a set of tools with blocking, encryption, tokenization and data masking functionality.

In today’s digital world, your organization’s most important assets are easier than ever for employees to steal, and more and more employees are admitting to such theft. Following best practices and taking advantage of the right technologies is essential to protecting your organization’s crown jewels.