Black Hat Europe 2019: Did your employee leave with the data?

News by Chandu Gopalakrishnan

Departing employees account for more than half of all insider threat incidents; Two out of three professionals openly admit to taking data with them when they quit

CapitalOne stands tall in the data breach calendar this year. Insider threats have become a daily affair in cyber-security. The perpetrator of this breach turned out to be a former employee of Amazon Web Services, which was contracted by Capital One. The insider had access to sensitive data, and walked out with it at the end of the employment contract.

"Since 2016, the average number of incidents involving employees or contractor negligence has increased by at least 26 percent, and it’s still going up," said Charity Wright, cyber-threat intelligence advisor at IntSights. 

Insiders are responsible for 43 percent of data breaches, says McAfee. The rise is over 50 percent when it comes to criminal and malicious insiders, she told the audience at Black Hat Europe 2019.

"Insiders are focused on the information that does the most damage. We’re talking about credentials, employee and customer personal identification information (PII), financial details, classified information, and products and services."  

Wright defines a malicious insider as someone with internal access who abuse their authority with the intent of causing damage to an organisation.

"Malicious insiders is somebody who has a plan and a reason for executing it. It’s a purposeful abuse of their accesses," she said.

The average number of credential thefts has more than doubled over the past two years, with breaches by negligence often as severely damaging as malicious insider action, she explained. And a sizeable number of threats come from ex-employees.

"Departing employees -- employees who are leaving your organisation -- account for more than half of all insider threat incidents. And two out of three professionals openly admit to taking data with them when they leave the organisation. Some of us are doing it by accident but a lot of people are doing it on purpose."

Part of this could be attributed to the fact that people are changing their jobs much more often than they used to, observed Richard Agnew, VP-EMEA at Code42.

"Ten years ago, if I saw a CVs of people who changed their jobs every two years, I would say they're job hoppers. I saw a statistic that in the UK that somebody joining the workforce from university or college at the age of 21 would have worked for ten companies by the time they hit 35," he said, speaking at a presentation at Black Hat. 

This fast switch of jobs result in less loyalty and more careerism. Adding fuel to the situation is the ease in data portability, especially with cloud services, he pointed out.

"The other thing we see with cloud services is that it's very, very easy when you're sharing files to accidentally make them public as opposed to private."

The trigger could be anything, from employee dissatisfaction as in the CapitalOne incident or the feeling of entitlement on the data the employee created for the company.

Google’s parent company Alphabet sued former engineer Anthony Levandowski in 2017. Levandowski moved to Uber from Alphabet, and the company accused him of copying more than 14,000 internal files and taking them to his new employer.

"Normally, this is done 30 days before people decide to leave the company. People think, ‘OK, when I submit my notice, I may be asked to leave the company straightaway. So it I’m going to do it 30 days before’," Agnew said, citing surveys done by Code42.

"And then there is this employee myth that they are taking this to help them in their career or living."

Departing employees is the biggest single threat of insider data loss and yet most companies don't have a process to manage this, he pointed out. A quick question to the audience -- mostly cyber-security businessmen and professionals -- met with the reply that none of their companies have a plan for plugging this loophole.

The common process when people leave the company is they inform their line manager, who then contacts HR. The employees will hand over their badge and devices the day they leave. But nobody will say to them, ‘have you handed in all the data?’, said Agnew.

"When somebody leaves the company, it's hard to find out what information they're taken to a competitor. To be honest, the competitor they go to might not even know that a person has brought that information in. They're just using it as part of their job, and may not be aware of it."

The beans are spilled when an identifiable piece of intellectual property is used by the competitor company. Proving data theft at that point might be extremely difficult, he said.

"What we are advocating really is a date sort of login, where we change the process such that when somebody hands in their notice, we add them to a watch list. This enables us to look backwards and see what they did prior to when they handed in their notice."

Disgruntled employees can cause significant damage to the company's reputation or to its intellectual property, says the Society of Human Resource Management.

"A monitoring system is key to ensure compliance and to manage employee accounts that have access to sensitive data," writes Samuel Lanier Felker of law firm Baker Donelson. "An effective monitoring system will allow you to track, log and record account activity and create alerts to allow for a quick response when suspicious activity is detected."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews