When the trailblazing electric-car manufacturer Tesla revealed in June that it caught a malicious insider in its midst, the news highlighted—once again—the harm insiders can do to unsuspecting companies. Tesla experienced not just one, but two frightening insider scenarios: the exfiltration of valuable intellectual property and the alteration of critical code from their manufacturing operations.
It’s easy to understand the threats facing your business by outsiders, such as competing organizations. Companies may underestimate or ignore the damage that can be caused by just one disgruntled employee or even a former employee. Insiders often have the means, but their motives vary—they could be driven by money. They may look for a way to get back at an employer who passed them up for a promotion, which was reportedly the case with Tesla.
Companies often give their employees access to far more information than they need to do their jobs. In a recent report, we found that 41% of companies had at least 1,000 sensitive files open to all employees. Exposed information, unfortunately, is more often the rule and not the exception.
Today’s employees are increasingly tech-savvy. They can easily navigate a file server to find valuable files to copy. They’re also likely to use tools, such as personal cloud storage, that could be leveraged to steal critical information. Furthermore, employees often are less loyal to the companies they work for and may not see anything wrong with taking essential files.
If it can happen to Tesla, it could happen to your company.
It’s extremely difficult or even impossible to tell the difference between an employee who is having a bad day and one who is disgruntled to the point that they are actively compromising your organization. Chances are, you wouldn’t be able to spot a malicious insider at your company.
You’ve got to look for signs that you’ve been compromised. Here are four signs to watch for:
- “Ghosts” on your network: Ghosts are accounts belonging to former employees that can still access your network. Former employees, especially those who parted on bad terms, may try to log back into company systems, either out of curiosity or to do damage by copying or deleting files.
- Unusual activity during “off” hours: While your employees may make a habit of working in the middle of the night, on weekends, and during holidays, if their work patterns suddenly change, you have every reason to be suspicious. An outsider could be posing as an insider by using an employee’s account to log in, or an insider could be snooping around on your file stores when no one is likely to be watching.
- Suspicious file access: Searching for, viewing, or copying data that’s not relevant to an employee’s job are all signs of possible insider activity. Employees will try to avoid detection at all costs; they may grab a few files to copy or even delete them. Those who can access corporate email accounts for other employees and executives may try to cover their tracks by marking viewed messages as “unread.”
- Saving or printing massive amounts of information: If an employee leaves your company, they may try to take their files with them—perhaps in the mistaken belief that if they did the work, it belongs to them. Alternatively, they could be looking to profit from selling insider information. If they begin taking files, they could also be intent on providing this data to a third party.
Know that it’s not always an insider at fault – an outside attacker can steal employee credentials. You must lock down your employee data, intellectual property, client lists, and other vital information you wouldn’t want walking out the door. Consider initiating policies prohibiting, for example, the use of personal email on work devices. Try to foster trust with your employees so that when they do click on a phishing attempt, they’re comfortable reporting it to IT immediately.
Guarding against malicious insiders sets a solid foundation that will help bolster your company’s defenses against other types of threats, including ransomware, brute-force attacks and other exploits used by outside attackers.
Brian Vecci is Technical Evangelist for Varonis.