Why rogue employees may pose bigger threat to corporate data than hackers
As a computer programmer for Monsanto Co., Jiunn-Ren Chen developed algorithms and wrote programs that gave him access to the agriculture giant鈥檚 confidential trade secrets and proprietary information.
But last month, after Mr. Chen left the company, 听for allegedly听abusing his access to steal 52 files containing sensitive company data. Chen, whose lawyers could not immediately be reached for comment,听is accused of downloading that information shortly after he had announced he was leaving Monsanto to consider employment with a Chinese competitor. According to court documents in the Eastern District Court of Missouri, Monsanto personnel uncovered Chen鈥檚 illegal activity after discovering malicious code on two of his computers.
Investigators found 鈥渉ighly sophisticated and unauthorized software that could be used to perform reconnaissance, exfiltrate data and conceal activity,鈥听according to Monsanto's lawyers, who also alleged that, because of the proprietary nature of the data, Chen鈥檚 theft had the potential to cause 鈥渟ubstantial鈥 harm to the company.
It's not just Monsanto听battling what's known as the "insider threat."听
In fact, many security analysts now fear, disloyal employees pose a greater threat to companies' data security than outside hackers.
鈥淎 lot of companies are really worried about employees walking off with their data,"听says Avivah Litan, an analyst at advisory and research firm Gartner.听鈥淚nsider threats have become a major issue because external criminals are actively recruiting insiders to help perpetrate their crimes, while disgruntled employees are actively making their insider services available."听
The banking sector is especially worried about insider threats, Ms. Litan says, noting the issue has become more pressing over the last two years because of the Dark Web.听Disgruntled employees, especially those working in data-rich organizations like financial services companies, pharmaceutical firms, and in government are being actively recruited by and selling access to network credentials and corporate data to criminals on the Dark Web.听
Indeed, the Monsanto incident is the third in recent weeks where an insider has been accused of involvement in the theft of proprietary data from his employer.
An information technology worker at the Panamanian law firm Mossack Fonseca鈥檚 offices in Geneva was arrested in June for his alleged involvement in the theft of 11.5 million files documenting secret bank accounts. The files may have been the basis for听, which revealed controversial financial dealings of international politicians and public figures. A spokesman for Mossack Fonseca听听said a formal complaint had been made against the worker for illegally removing data from a company computer and for breaching the law firm鈥檚 confidentiality agreement.
Meanwhile, the digital theft of $81 million from the Bangladesh central bank听听may have occurred with help from someone on the inside. The FBI suspects at least one bank employee helped hackers navigate the bank鈥檚 system, and news听听a few others听may have also been involved.
It's an industry-wide issue:听An听听from September 2015 determined that insiders could be blamed for 43 percent of lost data, and Verizon鈥檚 2016 breach report blamed disgruntled insiders for roughly one in ten security incidents.听
Despite a heightened awareness in recent years, experts say a majority of organizations remain dangerously vulnerable to the threat.
The first reason is cultural. 鈥淢ost people feel that insiders are supposed to be trusted,鈥 says Gaby Friedlander, co-founder and chief technology officer of ObserveIT, a company that helps businesses manage insider threats. 鈥淭here鈥檚 a culture issue that protects the insider from being watched.鈥
Insiders often have the benefit of time to poke and prod their way around systems, and slowly siphon off听data without raising any red flags because most of the time, no one is watching, Mr. Friedlander said.
But there are also technical challenges to catching potential leakers already working at the company.听That's partly because听security teams do not have visibility into how every individual employee, and others with access to corporate assets, might be behaving and interacting, said Ryan Stolte, co-founder and CTO at security vendor Bay Dynamics. 听
鈥淭hink of an office building. The security team is similar to the guards manning the front desk,鈥 said Mr. Stolte. 鈥淭hey check badges to make sure only authorized people are entering. However once people are inside, they cannot see what each individual is doing every minute of the day.鈥
There are numerous instances听where such insouciance has cost organizations dearly. In 2005, a research scientist at the chemical company听 stole intellectual property with a street value estimated at some $400 million over a period of several months. Though he accessed a DuPont database containing proprietary data about 15 times more frequently than the next most frequent user, and downloaded听a whopping 22,000 technical abstracts and more than 16,500 PDF documents, no one noticed the theft until听after the scientist announced his plans to leave DuPont.
Michael Bruemmer, vice president at the credit protection company Experian Data Breach Resolution, recommended companies conduct background and credit checks on employees when they are hired, then randomly throughout their course of employment to identify employees that could pose a risk.
鈥淚f an employee is put on a performance plan or facing a potential layoff, it would make sense to monitor their network activity much closer,鈥 Mr. Bruemmer said. But companies are often reluctant to utilize such measures for fear of appearing to be a 鈥渂ig brother鈥 and turning off high-performing employees, Bruemmer added.
Another obstacle: The tools available to companies to track insider threats are still evolving.听
Most of the security controls companies have in place for protecting data are meant to stop threats from outside the enterprise network, said Gartner鈥檚 Litan, and not as much from the threats within. When organizations do have controls that limit internal access to certain files or databases, they typically do not have anything to monitor what someone with legitimate access to those assets might do with it, she said.听
鈥淚nsiders know exactly how things are laid out and where the organization鈥檚 valuable assets and information are stored,鈥 Litan says. 鈥淪ome trusted users know exactly how to access these crown jewels, and are not necessarily suspect when they do."
听
