Modern field guide to security and privacy

Why rogue employees may pose bigger threat to corporate data than hackers

As stolen company information is turning up for sale on the Dark Web, analysts say the insider threat is creating a security nightmare for companies with sensitive and proprietary data. 

Carlos Jasso/Reuters
Experts say companies are better positioned to keep outsiders out of their corporate corporate than they are to root out nefarious employees. Here, a police officer stands guard outside the Mossack Fonseca law firm office, which became the subject of the Panama Papers.

As a computer programmer for Monsanto Co., Jiunn-Ren Chen developed algorithms and wrote programs that gave him access to the agriculture giant’s confidential trade secrets and proprietary information.

But last month, after Mr. Chen left the company, Monsanto sued its former employee for allegedly abusing his access to steal 52 files containing sensitive company data. Chen, whose lawyers could not immediately be reached for comment, is accused of downloading that information shortly after he had announced he was leaving Monsanto to consider employment with a Chinese competitor. According to court documents in the Eastern District Court of Missouri, Monsanto personnel uncovered Chen’s illegal activity after discovering malicious code on two of his computers.

Investigators found “highly sophisticated and unauthorized software that could be used to perform reconnaissance, exfiltrate data and conceal activity,” according to Monsanto's lawyers, who also alleged that, because of the proprietary nature of the data, Chen’s theft had the potential to cause “substantial” harm to the company.

It's not just Monsanto battling what's known as the "insider threat." 

In fact, many security analysts now fear, disloyal employees pose a greater threat to companies' data security than outside hackers.

“A lot of companies are really worried about employees walking off with their data," says Avivah Litan, an analyst at advisory and research firm Gartner. “Insider threats have become a major issue because external criminals are actively recruiting insiders to help perpetrate their crimes, while disgruntled employees are actively making their insider services available." 

The banking sector is especially worried about insider threats, Ms. Litan says, noting the issue has become more pressing over the last two years because of the Dark Web. Disgruntled employees, especially those working in data-rich organizations like financial services companies, pharmaceutical firms, and in government are being actively recruited by and selling access to network credentials and corporate data to criminals on the Dark Web. 

Indeed, the Monsanto incident is the third in recent weeks where an insider has been accused of involvement in the theft of proprietary data from his employer.

An information technology worker at the Panamanian law firm Mossack Fonseca’s offices in Geneva was arrested in June for his alleged involvement in the theft of 11.5 million files documenting secret bank accounts. The files may have been the basis for the Panama Papers, which revealed controversial financial dealings of international politicians and public figures. A spokesman for Mossack Fonseca told the Swiss newspaper Le Temps said a formal complaint had been made against the worker for illegally removing data from a company computer and for breaching the law firm’s confidentiality agreement.

Meanwhile, the digital theft of $81 million from the Bangladesh central bank reported earlier this year may have occurred with help from someone on the inside. The FBI suspects at least one bank employee helped hackers navigate the bank’s system, and news reports indicated a few others may have also been involved.

It's an industry-wide issue: An Intel report from September 2015 determined that insiders could be blamed for 43 percent of lost data, and Verizon’s 2016 breach report blamed disgruntled insiders for roughly one in ten security incidents. 

Despite a heightened awareness in recent years, experts say a majority of organizations remain dangerously vulnerable to the threat.

The first reason is cultural. “Most people feel that insiders are supposed to be trusted,” says Gaby Friedlander, co-founder and chief technology officer of ObserveIT, a company that helps businesses manage insider threats. “There’s a culture issue that protects the insider from being watched.”

Insiders often have the benefit of time to poke and prod their way around systems, and slowly siphon off data without raising any red flags because most of the time, no one is watching, Mr. Friedlander said.

But there are also technical challenges to catching potential leakers already working at the company. That's partly because security teams do not have visibility into how every individual employee, and others with access to corporate assets, might be behaving and interacting, said Ryan Stolte, co-founder and CTO at security vendor Bay Dynamics.  

“Think of an office building. The security team is similar to the guards manning the front desk,” said Mr. Stolte. “They check badges to make sure only authorized people are entering. However once people are inside, they cannot see what each individual is doing every minute of the day.”

There are numerous instances where such insouciance has cost organizations dearly. In 2005, a research scientist at the chemical company DuPont stole intellectual property with a street value estimated at some $400 million over a period of several months. Though he accessed a DuPont database containing proprietary data about 15 times more frequently than the next most frequent user, and downloaded a whopping 22,000 technical abstracts and more than 16,500 PDF documents, no one noticed the theft until after the scientist announced his plans to leave DuPont.

Michael Bruemmer, vice president at the credit protection company Experian Data Breach Resolution, recommended companies conduct background and credit checks on employees when they are hired, then randomly throughout their course of employment to identify employees that could pose a risk.

“If an employee is put on a performance plan or facing a potential layoff, it would make sense to monitor their network activity much closer,” Mr. Bruemmer said. But companies are often reluctant to utilize such measures for fear of appearing to be a “big brother” and turning off high-performing employees, Bruemmer added.

Another obstacle: The tools available to companies to track insider threats are still evolving. 

Most of the security controls companies have in place for protecting data are meant to stop threats from outside the enterprise network, said Gartner’s Litan, and not as much from the threats within. When organizations do have controls that limit internal access to certain files or databases, they typically do not have anything to monitor what someone with legitimate access to those assets might do with it, she said. 

“Insiders know exactly how things are laid out and where the organization’s valuable assets and information are stored,” Litan says. “Some trusted users know exactly how to access these crown jewels, and are not necessarily suspect when they do."


You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Why rogue employees may pose bigger threat to corporate data than hackers
Read this article in
QR Code to Subscription page
Start your subscription today