Internal data theft happens when employees steal data for their employer. Often, this occurs when employees leave their job and go to work with a competitor. On their way out the door, employees grab client lists, trade secrets, and other data they can use at their new gig.
But this isn't the only type of internal security breach. Out-going employees can…
- Steal data and use it to commit fraud.
- Use privileged network access to steal money from the company's bank account.
- Use insider knowledge and data about upcoming corporate takeovers to commit insider trading.
We're not trying to make you paranoid about your client's employees. But insider data theft is becoming more common, and it's important not to overlook this liability.
How Big a Problem Is Insider Data Theft?
Cyber liability researcher Advisen reports on the increasing trend of insider data theft. Consider the following:
- Six in 10 employees admit to stealing trade secrets when leaving one job for another.
- There's been a 39 percent increase in insider data theft since 2010.
Insider data theft usually occurs in the last week or two of employment, so IT departments should check outgoing employees' computers for downloads of proprietary data and other signs of theft.
But there's a human element that IT departments need to keep in mind. You don't want employees to feel like they're being watched. Departing employees shouldn't feel like they have to pass through metal detectors on their way out the door. This type of office environment is bad for a company's reputation and it will likely lead to employees being suspicious of IT personnel and not seeking their help.
In other words, an IT contractor will need policies that institute security without making employees feel like big brother is watching. A sensible approach to preventing internal cyber threats should include…
- Cutting down on "shadow IT."
- Limiting access to sensitive data.
- Removing an employee's access to data and deleting their account after they leave the business.
- Checking employee computers for signs of theft when they move to a competitor.
Who Is at Risk for Insider Data Theft?
Different industries have different insider data risks. A sales firm needs to protect its contact lists. Startup mobile developers need to protect their source code. Engineering firms should protect schematics and AutoCAD models.
Work with clients to identify which data should be protected. Some experts also suggest that clients identify which employees might be most likely to steal data. This doesn't mean figuring out which employees are suspicious characters. Rather, it's about identifying who would have the most to gain from taking data with them.
Don’t forget that there are specific things you can do to prevent internal cyber risk. As an outside consultant, your best play is to…
- Collaborate with your clients.
- Make sure they understand the role they play in preventing insider data breaches.
- Concentrate your efforts on employees who are most likely to steal data.
For instance, an engineering firm might have employees who work closely with particular clients. It's not uncommon for these employees to be hired away by the client.
In situations like this, it's important to recognize that as an IT consultant, you're limited in your reach. Ideally, your clients should handle many of these matters on their own. Employee contracts and policies should emphasize that it's illegal to steal schematics, business IP, and other proprietary data.