Blog – Insider Data Theft

Blog Elizabeth Gladen today28/02/2019 35 2

Background
share close

After a quick browse of cybersecurity headlines, any reader would quickly see the sheer volume of new and evolving threats an organisation may face. Often the biggest threats originate from outside an organisation. However, inside threats should be treated with just as much urgency. Whether you are a large, medium or small sized organisation, data theft is a huge problem that needs to be identified as early as possible. Not so long ago an insider data theft breach could be wrapped up and escape news headlines, however with the introduction of GDPR and strict guidelines on reporting such breaches, this is no longer the case.

Insider Data Theft Motive

Motives for insider data theft can range from career development to deliberate theft to cause damage. Intellectual property (trade secrets and financial forecasts) and Personally Identifiable Information (PII) can be extremely valuable to the right buyer. Citing the 2018 Verizon Data Breach Report [1], 76% of data breaches in 2017 were linked to an individual stealing data for financial gain.

Take the following scenario – An employee hands in their resignation, during their notice period they most likely still have access to important systems and file shares to carry out their day to day work. It only takes them a number of minutes to transfer sensitive files to their local machine and then to a USB stick. As an organisation, how can you get the visibility to detect such an event?

Recently at a customer who has deployed an advanced network traffic monitoring solution, Cyberseer’s Analysts noticed an employee connecting to and downloading a large number of files from an internal file share.

Insider Data Theft Blog

Upon alerting the customer, it was revealed that this employee was mid-way through their notice period after recently handing in their resignation. As a figure with a senior position, they had access to business accounts information, contracts and internal payroll data. Stepping back and looking at the incident timeline, it went as follows:

  • Remote user connects to the corporate network via VPN – Their credentials are tracked and out of hours connection is seen as abnormal when compared to user’s daily activity.
  • The user connects to file share – An unusual time for connection to file share when compared to the user’s history.
  • The user begins transferring large numbers of files to the local machine – An unusual amount of data transferred when compared to the user’s history.

When?

Detecting insiders committing data theft in your organisation’s network can be challenging. It’s impossible to get inside the head of your employees and equally as hard to know when they are planning to resign. Rather than waiting to be made aware of a resignation for the employee to become a high risk, think about deploying solutions that provide full visibility into your network and continuously monitor all users and devices to look out for the early signs of compromise.

Sources: [1] – https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf

Written by: Elizabeth Gladen

Rate it
Previous post
Blog Wannacry Ransomware Threat Continues 21 Months Later from initial outbreak

today13/02/2019

  • 47
Featuredstar
close

Blog Elizabeth Gladen

Blog – Wannacry 21 months later

21 months after Wannacry’s initial discovery, a recent report from Kaspersky Labs has revealed that the WannaCry ransomware is still the most prevalent “crypter” with close to 75,000 users being ...


Similar posts

Post comments (2)

  1. Viktor on 24/03/2019

    Hi Elizabeth,

    How do you think – what is the real cost of data breaches?

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.