An Inside Job: Protecting Your Data from Employees

Whether innocently or on purpose, sometimes your own employees can steal or damage data. How does this happen, and what security solutions can help you prevent it?

By Tim Pritchett

What makes a good employee steal data?

It’s hard to say. It could be revenge, financial gain, or feeling ownership of work done at the company. Whatever the reasons, about 12 percent of employees who left an organization last year took some kind of data with them, according to the DTEX 2023 Insider Risk Investigations Report.

But it’s not just theft that threatens data. Employees account for 19 percent of all breaches, according to Verizon’s 2023 Data Breach Investigation Report, and those breaches aren’t always malicious. Sometimes devices get lost, and other times data gets exposed accidentally.

Here’s a few examples of data breaches by “insiders”:

• Before he left the company, a former Yahoo employee hired at a competitor downloaded about 570,000 pages of proprietary source code, algorithms and internal strategy documents.
• A group of Microsoft employees were reported to have accidentally exposed sensitive login information for Microsoft’s own systems.
• An ex-employee of a Fortune-500 firm was caught trying to sell network login information on an online forum.

When Insiders are Malicious

According to Verizon, 99 percent of all “Privilege Misuse” breaches – which are when legitimate logins and passwords are used for unapproved or malicious purposes – are caused by current or former employees.

Regardless of advanced malware protection or secure network defenses, protecting data from insiders with access and malicious intent is nearly impossible. They may do this for money, to obtain trade secrets, or retaliate against their employer. While never preventable, some key best practices can help bolster your overall security strategy. These include:

• Take advantage of the tools you already own. Microsoft Privileged Identity Management (PIM) allows you to not only grant elevated access as needed, but provides detailed logging, alerts, and reporting when elevated access is granted.
• Implement a strict Role Based Access Control (RBAC) environment with appropriate checks and balances. Strategize ways to restrict even an admin’s ability to have the keys to all systems at the same time.
• If approaching a termination or even a resignation, implement logging and curtail access at least a week before a person is set to be let go. SaaS environments like M365 Data Loss Prevention (DLP) or Google Workspace have baked in tools to alert admins when a user exports a large quantity of files.
• Identify your employees with the most sensitive data access. Conduct regular reviews of traffic logs, endpoint reports, and file server/SaaS file storage by a department other than IT. Sharing the oversight of employee data protection between departments recognizes the importance of data protection as a business issue, not simply a technology challenge.

Who’s Making the Mistakes?

Unfortunately, when it comes to exposing data by mistake, it’s rarely the fault of end users. The vast majority are developers and system admins, according to the Verizon report. Remember the massive airline and FAA data losses earlier this year? The 2020 SolarWinds breach left thousands of companies exposed because those companies followed best practice and updated the software to the newest (compromised) version. The employees updating software and networks have a major responsibility to keep data safe and accessible, and sometimes errors happen. So how can you protect yourself against mistakes like deleting or exposing sensitive data?

• Schedule regular maintenance on all systems and log those changes. Keep track of who, when, and why system upgrades occurred.
• When sensitive information is involved, take time to schedule multiple preparation meetings for initial planning, tabletop upgrade, and the actual implementation. Include a backup plan and identify risk exposure prior to the upgrade.
• Incorporate your CFO, CEO, insurance company, and marketing/public relations into quarterly planning meetings for a data breach update. Document those meetings and distill the discussion to a simple call list and bullet points identifying who needs to know what and when in the event of an incident.

Protecting Data from the Inside Out

Protecting your system from bad actors on the outside, but knowing that nearly 20 percent of data breaches and exposures happen from the inside means you need to have a strategy and plan for those scenarios as well. Contact Matrix Integration for a free cybersecurity assessment.

As managed IT providers, this security risk assessment will help us learn more about how your cybersecurity capabilities and data recovery processes measure up against both outside threats and those that could come from employees. We have security solutions for SMBs as well as for enterprise-level companies. Has your company ever experienced a breach from the inside? How did you handle it?