Is Your Company’s Data A Sitting Duck?

Dominating the headlines in recent weeks have been the massive data breaches at several major retailers, including Target and Neiman Marcus. These breaches have put the financial and personal data of millions of consumers at risk.

However, based on what is now known, these data thefts were the work of outside hackers, an international ring of thieves that seeks to steal the identities and financial data of consumers for criminal profit.

Insider Data Theft

Overlooked in the furor over these large-scale hacking attacks is the very real threat posed by insider data theft.

In such cases, trusted employees with access to at least some of their companies' data betray the trust placed in them and steal the data. Self-proclaimed whistle-blower Edward Snowden was one such insider.

An employee of an outside contractor that worked on National Security Agency projects, Snowden stole massive amounts of NSA data and later revealed the secrets therein, ostensibly to show the world the very broad reach of the agency's surveillance programs.

Signs to Look For

It's probably safe to assume that your company is not in the same league as the NSA, but to you and your customers and stockholders, your intellectual property and other confidential data are no less important.

What signs can you look for that may indicate insider data theft is taking place? And what steps can you take to guard against such theft and the damage it can cause?

In a December 2013 article in Law Technology News, Michael Younger and Judith Branham point to four tell-tale signs of insider data theft.

Their article also provides extensive information about how you can use your company's computer system to help pinpoint instances of employee behavior that may indicate your proprietary information is begin accessed for illegal purposes.

Monitor Data Copying

Younger and Branham suggest that you look for signs of mass data copying by an employee, particularly by an employee who is about to move on to another job.

Also check out the employee's computer system files, most specifically its registry, to see if a USB drive or other external data drive has recently been used on the computer.

Younger and Branham also suggest that employers be on the lookout for signs that an employee has sent information to his or her personal email account from work. Suspicious access of company data from the employee's home computer can also be a sign that data is being misappropriated.

Tell-Tale Behaviors

Certain behaviors can be a tip-off that an employee is stealing data or at least contemplating such a theft, according to the FBI, which urges employers to stay alert for the following signs:

• Remote access of company computer system while on vacation, sick leave, or on other inappropriate occasions.
• Working at odd hours without explicit supervisory authorization.
• Unwarranted copying of sensitive materials.
• A persistent interest in and inquiries about matters beyond the scope of the employee's job.
• Unreported foreign contacts or unreported foreign travel.
• Disregard of company computer policies against the installation of personal software or hardware, accessing of restricted websites, or downloading personal information.

How to Protect Data

The importance of big data at larger companies, as well as the intellectual property of smaller businesses, cannot be overemphasized.

But what are some steps that companies -- big and small -- can take to minimize the threat of insider data theft?

1. Screen prospective employees carefully. Don't just eyeball their references, but follow up on them. Run background checks on employees who are to be entrusted with sensitive data.

2. Restrict access to sensitive data to only those with an absolute need to have such access. The fewer employees with access to critical data, the easier it becomes to protect this sensitive information.

3. Teach all employees that misuse of confidential corporate data is wrong. Security awareness training should alert all employees to the dangers of intellectual property theft and urge them to be alert for signs of any attempts to illegally obtain access to company information.

4. Make clear to all employees -- particularly those with access to sensitive data -- that nondisclosure agreements will be enforced. Failure to do so will signal to others that they can engage in such behavior without fear of retribution.

5. Install software that monitors your company database for inappropriate access by employees.