Kexue Huang worked for two different U.S. companies. Between 2007 and 2010, he sold proprietary data from both of his workplaces to competitors operating in Germany and China. By the end of the process, both companies lost between $7 and $20 million in revenue because of the breach. Huang was sentenced to 87 months in prison and three years of supervised release.
The Types of Organizations That Are Likely to Lose Data
Many companies spend a lot of money trying to protect data from hackers. However, they sometimes ignore the threat of data breaches posed by their own employees. The FBI has identified some situations in which internal data theft commonly occurs. The agency also suggests common warning signs that may indicate questionable actions by employees.
Do any of these characteristics describe your organization? If so, then you are at risk for losing intellectual property and sensitive data:-
- Protected materials are easy to access. Your company doesn’t manage access privileges, giving employees who don’t need access to certain types of data the ability to open up highly sensitive proprietary information. You don’t properly label sensitive information, and it’s easy for employees to exit the system after they download data.
- The company has inadequate security procedures. Employees have the impression that your company’s security procedures are lax. You don’t have written policies for dealing with sensitive data, and you don’t offer employee training about handling intellectual property.
- Employees are under time pressure. Your employees may be pressed for time on a particular project, which may cause them not to consider the consequences of inadequately securing protected materials. They may also be tempted to work on sensitive projects at home.
Characteristics of Employees That Are Likely to Steal
Sometimes, employees take home proprietary data with the best of intentions. For example, they may want to complete some extra work over the weekend, so they download files onto a USB drive. At other times, employees take sensitive information for more malicious reasons. The FBI suggests keeping an eye on employees who might:
- Have major problems in their private lives. Problems like substance abuse, marital problems, financial struggles or other personal issues aren’t always indicative of suspicious behavior, but employers should stay vigilant.
- Experience problems on the job. If employees feel a lack of recognition on the job, have disagreements with colleagues or find out about an impending separation, then they may decide to seek revenge.
- Exhibit a sense of entitlement. Feeling valued for a job well-done is a fair expectation. However, an employee that acts as though he or she is above the rules, or an employee that is vulnerable to flattery or the offer of a better job, may be willing to engage in data theft.
- Display divided loyalty. An employee who owes something to another country or wants to ingratiate himself or herself to someone who could benefit from receiving inside information might steal intellectual property. Alternatively, the employee may have an ideological allegiance to a particular person or cause.
- Seek adventure. Some employees think that stealing proprietary information will add a sense of adventure to their lives. These employees may also be vulnerable to extortion because of fraud or gambling debts.
Also, be aware when an employee commonly disregards security procedures by taking proprietary information home, photocopying sensitive records, visiting unauthorized websites or accessing the network during off-hours. Suspicious contacts with competitors, unusual trips to foreign countries and unexplained affluence should also cause alarm.
Vulnerabilities from Mobile Devices
The addition of mobile devices has made data loss even more likely. According to the Ponemon Institute, 77 percent of IT professionals surveyed expressed concern that a lack of security protocols for smartphones, tablets and other edge devices presented major security risks. Additionally, as employers give workers increased freedom to work offsite, IT professionals worry that they have no way to know whether employees follow security policies or comply with regulatory requirements.
You want to think the best of the people who work for you. In many cases, it’s tough to tell whether data loss has occurred because of negligence or fraud. However, since businesses lose approximately $194 for every data breach, employers have to start asking difficult questions about potential insider misconduct.
About the Author: Christopher Budd is a seasoned veteran in the areas of online security, privacy and communications. Combining a full career in technical engineering with PR and marketing, Christopher has worked to bridge the gap between “geekspeak” and plain English, to make awful news just bad and to help people realistically understand threats so they can protect themselves online. Christopher is a 10-year veteran of Microsoft’s Security Response Center, has worked as an independent consultant and now works for Trend Micro Data Protection.