The inside threat: Mitigation of the risks of deliberate data violations and corporate sabotage

It is well known most data breaches come from employee error, some 88% according to Stanford University Professor Jeff Hancock in fact. As difficult as a costly mistake may be for a business to accept, there might be some consolation in the knowledge that it was an unintentional act, and completely without malice. Lessons can be learned, and shortfalls in staff training measures can be addressed.

What of those data violations that are not born of simple human error, but are in fact the result of deliberate employee actions? What can companies do in the face of such a threat? How can this type of risk be addressed?

In the fast-evolving domain of cybersecurity, perhaps the most insidious threat to corporate integrity and data security comes from within: the company or organization’s own staff. Although the primary focus in IT security is on external threats, the risk of deliberate data breaches and corporate sabotage by insiders is far from negligible. Given the potential damage that people who have direct access to large quantities of sensitive data can cause, it is a risk that must be confronted head on. The motivations behind such malicious actions can range from activism to espionage, and data processors need to recognise and mitigate against these risks.

Comprehending motivation

Activists and hacktivists

Activism-driven data breaches, often referred to as hacktivism, are on the rise. Staff motivated by social justice, environmental concerns, or political beliefs may be tempted to resort to leaking sensitive information to further their cause. Such individuals often see their actions as a legitimate or necessary form of protest, or as a way of forcing the company to adopt more ethical practices.

In a recent example of ‘hacktivism’, Disney confirmed on July 15th 2024 that it was investigating claims made by the hacktivist group NullBulge that it had accessed Disney’s internal Slack channels, leaking 1.2 terabytes of data, including unreleased projects. Apparently, this was made possible due to NullBulge having an “inside man” in the Walt Disney Corporation. NullBulge has described itself as a hacktivist group dedicated to protecting artists’ rights and fighting for fair compensation for their work.

Corporate spying

Corporate espionage represents another source of risk. Unfortunately, it is necessary to be alert to incidents of employees being paid to leak information to competitors. Such information may involve trade secrets, client data, financial details, and other proprietary information. This is normally motivated by money, with employees being attracted by lucrative offers from rival companies.

A famous example came to light in May 2022 when Qian Sang, a research scientist at Yahoo,  was discovered to have stolen proprietary information about Yahoo’s AdLearn product minutes. This action was apparently motivated by the fact that he had received a job offer from The Trade Desk, a competitor. Sang downloaded approximately 570,000 pages of intellectual property (IP) belonging to Yahoo to his personal devices, in the knowledge that the information could greatly benefit him in his new job.

Geopolitical concerns

Geopolitical tensions have begun to spill over into the corporate realm. Staff with sympathies towards particular political causes or nations may be tempted to engage in espionage or sabotage. This may be driven by nationalistic sentiments or an ideological alignment with a foreign power.

To take an example, recent reports have indicated that the shipping sector is facing a spike in cyberattacks tied to state-sponsored hackers. According to the Financial Times, the industry registered at least 64 cyber incidents in 2023. A study by NHL Stenden University of Applied Sciences the Netherlands’ found that there were only three such incidents in 2013 and none at all in 2003. More than 80% of the incidents that occurred since 2001 involving a known attacker originated in China, Russia, North Korea or Iran.

Miscellaneous

In April of 2023 Jack Teixeira, an American airman in the 102nd Intelligence Wing of the Massachusetts Air National Guard, was arrested following an investigation into the removal and disclosure of hundreds of classified Pentagon documents. Somewhat astonishingly, it later became apparent that Teixeira was not motivated by money, activism, or espionage, but was in fact driven by a desire to impress friends he made on the social media platform Discord.

What lesson can be learned from the story of Jack Teixeira? Perhaps only that companies should remain alert to internal data security risks even when the classic motivations or causes appear not to be present. 

Mitigation of the insider threat

To protect themselves against these diverse and complex threats, companies must adopt a multifaceted approach. One of the best strategies is to limit employee access to only that data and those systems which directly relate to that employee’s duties. Businesses should, as a minimum, take the following steps:

Implementation of the ‘Principle of Least Privilege’ (PoLP)

The Principle of Least Privilege (PoLP) is a security concept which mandates that employees should be permitted to have access only to the data and systems necessary for their respective functions. Through the minimization of unnecessary access, organizations can reduce the risk of data breaches.

Regular access reviews

Staff access rights should be reviewed regularly. This guarantees that the access rights of staff members who have changed roles or no longer require access to certain data are updated in the system. Automated tools can help in the monitoring and adjusting of access rights as required.

Monitoring and auditing

Constant monitoring and auditing of user activities assist in detecting suspicious behavior early. The implementation of advanced analytics and AI-driven solutions facilitate the identification of patterns that indicate potential insider threats. Timely response to such alerts can prevent data violations before they occur.

Employee sensibilization

Benjamin Franklin famously wrote, “An investment in knowledge pays the best interest” and these words are equally true today as they were when they were published in 1758. Comprehensive training of employees is a key component of any security strategy. Staff should be regularly trained on the importance of data security and the risks posed by insider threats. Awareness programs aid employees to recognize and report suspicious activities.

Whistleblowers 

Although the activities of the average company may be quite uninteresting to Julian Assange or Edward Snowden, the benefits of encouraging a culture of transparency and accountability within a business should not be underestimated. Implementing clear whistleblower policies and providing secure channels for reporting suspicious behavior can empower employees to act when they observe potential threats and ultimately deter potential saboteurs.

Comprehensive legal and contractual safeguards

Lastly, all organizations should strive to ensure that their legal and contractual frameworks include provisions to deter and address insider threats. Non-disclosure agreements, non-compete clauses, and other legal instruments should be utilized in order to contribute to the overall protection.

The threat of corporate sabotage and voluntary data violations by insiders is a concern that no business can afford to overlook. No matter the motive, the impact of insider breaches can be devastating. Through limiting employee access to valuable data, carrying out regular access reviews, and developing a culture of security and transparency, companies can mitigate these risks. In the constantly changing world of tech security, remaining vigilant and proactive is key to safeguarding corporate integrity and data security.

Photo credits: Maguy, AdobeStock.com

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Eoin Campbell

Eoin P. Campbell is an honours law graduate (LL.B) from Queen's University Belfast and is a qualified lawyer. Eoin has moved from practicing law to lecturing. Eoin is currently lecturing in law at two universities in Lyon, France, including a master's degree course in cyberlaw. Eoin provides commentary with a legal perspective on cybersecurity and data privacy. He is an expert on data privacy laws.
LinkedIn