Insider Data Theft

After a quick browse of cybersecurity headlines, any reader would quickly see the sheer volume of new and evolving threats an organisation may face. Often the biggest threats originate from outside an organisation. However, inside threats should be treated with just as much urgency. 

Whether you are a large, medium or small sized organisation, data theft is a huge problem that needs to be identified as early as possible. Not so long ago an insider data theft breach could be wrapped up and escape news headlines, however with the introduction of GDPR and strict guidelines on reporting such breaches, this is no longer the case.

Insider Data Theft Motive

Motives for insider data theft can range from career development to deliberate theft to cause damage. Intellectual property (trade secrets and financial forecasts) and Personally Identifiable Information (PII) can be extremely valuable to the right buyer. Citing the 2018 Verizon Data Breach Report [1], 76% of data breaches in 2017 were linked to an individual stealing data for financial gain.

Take the following scenario – An employee hands in their resignation, during their notice period they most likely still have access to important systems and file shares to carry out their day to day work. It only takes them a number of minutes to transfer sensitive files to their local machine and then to a USB stick. As an organisation, how can you get the visibility to detect such an event?

Recently at a customer who has deployed an advanced network traffic monitoring solution, Cyberseer’s Analysts noticed an employee connecting to and downloading a large number of files from an internal file share.

Insider Data Theft Blog

Upon alerting the customer, it was revealed that this employee was mid-way through their notice period after recently handing in their resignation. As a figure with a senior position, they had access to business accounts information, contracts and internal payroll data. Stepping back and looking at the incident timeline, it went as follows:

  • Remote user connects to the corporate network via VPN – Their credentials are tracked and out of hours connection is seen as abnormal when compared to user’s daily activity.
  • The user connects to file share – An unusual time for connection to file share when compared to the user’s history.
  • The user begins transferring large numbers of files to the local machine – An unusual amount of data transferred when compared to the user’s history.


Detecting insiders committing data theft in your organisation’s network can be challenging. It’s impossible to get inside the head of your employees and equally as hard to know when they are planning to resign. Rather than waiting to be made aware of a resignation for the employee to become a high risk, think about deploying solutions that provide full visibility into your network and continuously monitor all users and devices to look out for the early signs of compromise.

Sources: [1] –