Why rogue employees may pose bigger threat to corporate data than hackers
As stolen company information is turning up for sale on the Dark Web, analysts say the insider threat is creating a security nightmare for companies with sensitive and proprietary data.
Carlos Jasso/Reuters
As a computer programmer for Monsanto Co., Jiunn-Ren Chen developed algorithms and wrote programs that gave him access to the agriculture giant’s confidential trade secrets and proprietary information.
But last month, after Mr. Chen left the company, Monsanto sued its former employee for allegedly abusing his access to steal 52 files containing sensitive company data. Chen, whose lawyers could not immediately be reached for comment, is accused of downloading that information shortly after he had announced he was leaving Monsanto to consider employment with a Chinese competitor. According to court documents in the Eastern District Court of Missouri, Monsanto personnel uncovered Chen’s illegal activity after discovering malicious code on two of his computers.
Investigators found “highly sophisticated and unauthorized software that could be used to perform reconnaissance, exfiltrate data and conceal activity,” according to Monsanto's lawyers, who also alleged that, because of the proprietary nature of the data, Chen’s theft had the potential to cause “substantial” harm to the company.
It's not just Monsanto battling what's known as the "insider threat."
In fact, many security analysts now fear, disloyal employees pose a greater threat to companies' data security than outside hackers.
“A lot of companies are really worried about employees walking off with their data," says Avivah Litan, an analyst at advisory and research firm Gartner. “Insider threats have become a major issue because external criminals are actively recruiting insiders to help perpetrate their crimes, while disgruntled employees are actively making their insider services available."
The banking sector is especially worried about insider threats, Ms. Litan says, noting the issue has become more pressing over the last two years because of the Dark Web. Disgruntled employees, especially those working in data-rich organizations like financial services companies, pharmaceutical firms, and in government are being actively recruited by and selling access to network credentials and corporate data to criminals on the Dark Web.
Indeed, the Monsanto incident is the third in recent weeks where an insider has been accused of involvement in the theft of proprietary data from his employer.
An information technology worker at the Panamanian law firm Mossack Fonseca’s offices in Geneva was arrested in June for his alleged involvement in the theft of 11.5 million files documenting secret bank accounts. The files may have been the basis for the Panama Papers, which revealed controversial financial dealings of international politicians and public figures. A spokesman for Mossack Fonseca told the Swiss newspaper Le Temps said a formal complaint had been made against the worker for illegally removing data from a company computer and for breaching the law firm’s confidentiality agreement.
Meanwhile, the digital theft of $81 million from the Bangladesh central bank reported earlier this year may have occurred with help from someone on the inside. The FBI suspects at least one bank employee helped hackers navigate the bank’s system, and news reports indicated a few others may have also been involved.
It's an industry-wide issue: An Intel report from September 2015 determined that insiders could be blamed for 43 percent of lost data, and Verizon’s 2016 breach report blamed disgruntled insiders for roughly one in ten security incidents.
Despite a heightened awareness in recent years, experts say a majority of organizations remain dangerously vulnerable to the threat.
The first reason is cultural. “Most people feel that insiders are supposed to be trusted,” says Gaby Friedlander, co-founder and chief technology officer of ObserveIT, a company that helps businesses manage insider threats. “There’s a culture issue that protects the insider from being watched.”
Insiders often have the benefit of time to poke and prod their way around systems, and slowly siphon off data without raising any red flags because most of the time, no one is watching, Mr. Friedlander said.
But there are also technical challenges to catching potential leakers already working at the company. That's partly because security teams do not have visibility into how every individual employee, and others with access to corporate assets, might be behaving and interacting, said Ryan Stolte, co-founder and CTO at security vendor Bay Dynamics.
“Think of an office building. The security team is similar to the guards manning the front desk,” said Mr. Stolte. “They check badges to make sure only authorized people are entering. However once people are inside, they cannot see what each individual is doing every minute of the day.”
There are numerous instances where such insouciance has cost organizations dearly. In 2005, a research scientist at the chemical company DuPont stole intellectual property with a street value estimated at some $400 million over a period of several months. Though he accessed a DuPont database containing proprietary data about 15 times more frequently than the next most frequent user, and downloaded a whopping 22,000 technical abstracts and more than 16,500 PDF documents, no one noticed the theft until after the scientist announced his plans to leave DuPont.
Michael Bruemmer, vice president at the credit protection company Experian Data Breach Resolution, recommended companies conduct background and credit checks on employees when they are hired, then randomly throughout their course of employment to identify employees that could pose a risk.
“If an employee is put on a performance plan or facing a potential layoff, it would make sense to monitor their network activity much closer,” Mr. Bruemmer said. But companies are often reluctant to utilize such measures for fear of appearing to be a “big brother” and turning off high-performing employees, Bruemmer added.
Another obstacle: The tools available to companies to track insider threats are still evolving.
Most of the security controls companies have in place for protecting data are meant to stop threats from outside the enterprise network, said Gartner’s Litan, and not as much from the threats within. When organizations do have controls that limit internal access to certain files or databases, they typically do not have anything to monitor what someone with legitimate access to those assets might do with it, she said.
“Insiders know exactly how things are laid out and where the organization’s valuable assets and information are stored,” Litan says. “Some trusted users know exactly how to access these crown jewels, and are not necessarily suspect when they do."