5 Ways Employees Steal Data
Companies are building vast databases of information which need to be protected against hackers, viruses, natural disasters and other threats.
In this post I talk about the biggest threat of them all: your trusted employees.
Your employees have many reasons to steal your data. They might be planning to move to a competitor or begin their own venture in your market, or they could be bribed by a third party who has interest in your company’s secrets.
Knowing the methods and tricks they use to steal data can help you stop a major information leak before it happens. Below I describe the five most common leak vectors that any company should protect against.
Leak Vector 1 – The Internet
The Internet is the biggest hole in your defenses against information leaks. Employees who have access to the Internet can transmit data files to computers outside of your private network. There are a lot of applications that facilitate the transfer of data files over the Internet. These applications should be blocked, restricted or monitored.
Email: Users can send files as attachments to any public mailbox.
Websites: Many websites allow file uploads through the HTTP POST method.
Peer to peer: P2P protocols were designed for fast file transfer amongst vast amounts of users. In fact, these technologies are still the preferred choice for the illegal sharing of songs, movies and digital books.
File Transfer Protocol: As its name implies, FTP facilitates the transfer of files and is supported by many major browsers such as Internet Explorer.
Instant Messaging: IM protocols such as MSN Messenger, Skype and Google Talk allow for the transfer of files to online chat buddies anywhere in the world.
Leak Vector 2 – The SneakerNet
The Pentagon had countless virus outbreaks on their internal computers caused by unsafe Internet browsing. To ward off the problem they disconnected their LAN from the Internet. A few weeks later they suffered a large virus outbreak. An investigation found that an infected USB drive introduced the virus. The USB virus was transferred over the SneakerNet, a network created by human beings walking around in sneakers.
In order for this network to function, a storage medium needs to be available. CDs and DVDs are popular because they are cheap, easily available and inconspicuous. USB drives and SD cards are very dangerous because they are very fast and can store large amounts of data. They are also very small and easy to conceal. Mobile phones also pose a threat. They can record conversations, take video and relay information over the Internet using the cellular network. Laptops are also dangerous and are often taken in and out of the premises freely.
Leak Vector 3 – Physical Theft
The digital world is not the only one where you must watch your back. Theft is rampant in the real, physical world. Employees can print or photocopy documents and take them off-site. Physical files can also be taken out of cabinets, and the more technically inclined can pull out hard disks from computers, steal backup tapes or even entire computers!
Leak Vector 4 – Radio Frequency Networks
RF networks drive all wireless communication including WiFi, Bluetooth and cellular networks. These days RF devices are very common in smartphones, which can communicate over several RF technologies at the same time. Modern WiFi network devices are increasing their range drastically and the 3G network allows data transfer from almost anywhere.
Leak Vector 5 – Their own minds
Last, but not least is the knowledge your employees have acquired whilst working with your company. If an employee was involved in the design of a new product, he has inadvertently gained knowledge that he can replicate elsewhere. Whilst there is no true defense against this type of threat, it pays to treat key employees well to reduce the chances of them becoming disgruntled and taking off with your company secrets!
Definitely a lot to consider as far as ways in which your data and of course your physical property can be stolen. Security measures are improving both internally and externally as most major police forces are ramping up their cybercrimes divisions. Obviously the best phone call to the police is the one you never have to make, so setting up internal security policies and following them to the letter is ideal.
As the HR Manager of a multinational company here in Houston, I always see to it that all incoming employees are throughly background-checked, even if they’re a friend of a friend or someone close to the organization. Before signing the contract, all new employees are required to read and understand all statements – they’re obligated to ask questions afterwards. This is because our contract has some interpolations that prohibit workers to divulge information and data to others. Think of it as a “non-disclosure agreement (NDA)” on steroids.
Also, if someone resigns (or was fired / terminated), that employee will not be allowed to work in a similar or competitor company. This way, no information or previous knowledge will be applied to his or her new job. Prevention is better than the cure. Being proactive always wins.
Jhos all your statements here are valid but they don’t apply to all companies or organizations. Remember that not all businesses have the same process of hiring and employing individuals. This is a case to case basis.
For instance, hiring someone to work for a big corporation (such as Google, IBM, or Walmart) involves a lot of steps – preliminary interview, secondary interview, final interview, exam, background check, hiring, orientation, probationary, contractual, then regularization.
On the other hand, SMEs are different. Because they’re not that big, their hiring method tends to be so simple. Usually, they skip some processes. And most of time, they will hire someone they or someone from the company knows.
Hi Jhos,
You are so right to do all this! Prevention is really better than cure. While you can never be sure somebody won’t be tempted to steal data, when you do background checks and have a binding contract, you do minimize the risks. Honestly, I think that most insider jobs are due to poor staffing practices and to hiring unreliable people.
In a big company, trust is an issue. Small and medium enterprises rely on the “trust” system simply because it worked on them. The case is different with multinational corporations, where bureaucracy is the life of the game. Multi-level departments are hard to deal with.
This article would have more impact if it also included case studies or real-life scenarios of employees stealing company data and what the company did something about it. I’ve read several cases about this online and most caught employees are bought to court and filed with criminal charges.