Sergey Ozhegov, CEO, SearchInform
Information security expert’s recommendations
Each company possesses valuable information assets, which are of high interest for market competitors and other organizations, groups or individuals. In the first company, it may be a VIP-client database, in the second – drawings or technological maps, the third company has created a breakthrough business-strategy, the fourth company possesses crucial financial information. And there is no guarantee for any company or organization, that a spy won’t start operating within it’s framework. The spy may be motivated by plenty of prerequisites, which include, but aren’t limited to – greed, revenge, financial interest, ideological issues.
Why employees become corporate spies
First of all let’s figure out, which employees may become corporate spies. There are a few categories of employees, which pose the biggest threat for an organization.
First category – ‘infiltrator’. In order to ensure, that you won’t be able to unmask him or her for a long time, an employee should be a qualified specialist. Such an expert easily passes interviews, has significant work experience and seems to be a ‘priceless asset’ for a company. That’s why it’s very important to be very attentive to recently hired staff members. Usually, such infiltrators apply for positions, which require work with commercial data or with databases.
Case study: the information security department of one company paid special attention to a new sales manager. Vigilance was not in vain. It was revealed, that the manager worked for market competitors and his main aim was to get access to the company’s accounting system. Gaining of such access by the manager may have led to a loss of approximately 215000$ and to a reduction in the number of clients.
The second group includes those employees, who start spying because of financial problems. Such employees may had been law-abiding specialists, who began to commit illegal actions only because of financial issues.
The third category – risk group employees. This group includes those, who work with critical and top secret data. Thus, such employees may be blackmailed and recruited by your competitors and detractors.
Another group – resentful employees. Revenge is in fact one of the most common motives for becoming a corporate spy.
Case study: an employee of a large company wanted to take a revenge, as he didn’t get the desired promotion. A resentful employee decided to leak data, revealing very precisely the amount of securities, possessed by each stockholder. The employee intended to transmit the data on securities to mass media. The employee’s actions may have led to the origin and further escalation of a conflict. Such an unpleasant situation would have helped company’s market rivals. However, information security officers revealed the threat just in time and managed to prevent the leak. The damage due to the leak, in case it had happened, would be estimated at $1,241.379.
How do spies gather data?
There are plenty of ways for employees to steal data: to print it on a paper or save on a device; to take a photo of confidential documents; to deliberately leak data by uploading it to a cloud; to provide third party with the access to database etc.
Nevertheless, there are some typical channels for data transmitting, which are the most popular ones for organizing data leaks as well. Thus, they have to be controlled more strictly. According to SearchInform annual research, email stands for the most popular channel for illegal data transmitting, as a bit less than 50% of leaks in 2021 happened via email. So, corporate spies usually take the path of least resistance and don’t create complicated schemes for a data leak.
This may be illustrated with a ridiculous case of AMD. AMD’s officials filled the claim against company’s four former top-managers, who lately joined Nvidia. Former employees took away 100.000 files, containing sensitive data on AMD’s business activities. Data volume was so tremendous, that copying of files would have taken too much time. The internal investigation revealed, that one of these employees even googled how to download this tremendous amount of data. He did it during the worktime.
Nonetheless, some spies act in a very creative manner.
Case study: an infiltrator joined one big manufacturing company. A river flew through the area, where the company’s plant was located, so the spy built a small raft, tied papers to the raft and floated the raft with top-secret documents of the company.
How to identify corporate spies
Screening check helps to detect spies, who deliberately applied a vacancy in order to leak secrets to competitors. You may test candidate the following ways:
- By addressing to various bases in order to obtain any mismatches in person’s autobiography;
- By examination of person’s letter of recommendations;
- By assessing the results of the interview;
- By the implementation of the OSINT (open source intelligence) methods.
It’s a bit more complicated to identify spies of other categories. Even if a specialist has been working for many years, and no problem has occurred during this period, there isn’t a guarantee, that specific critical circumstances, such as financial problems or willingness of revenge won’t stimulate this employee to commit illegal actions. That’s why it’s important for security services to cooperate permanently with top-managers. If a team isn’t big, then it’s easier to reveal problems by examination of consequential attributes, for example, disproportionate between payment ratio and expenditures or a sudden change in behavior.
If the team is quite big, than assistance of special protective software – DLP system – is required. Such systems prevent data leaks. Their functionality enables to trace suspicious messages and other activities, which can indicate employee’s motives. Advanced DLP systems’ functionality also includes behavior analytics (digital profiling, UEBA and other tools). The main advantage of this ‘computer psychologist’ is that it permanently traces behavior changes and that it can’t be treated.
Prevention is very important too. It’s crucial to educate your employees in the information security related issues and to present the probable outcomes of a data leak. We also recommend to sign a non-disclosure agreement with a new employee. This is both a formality, which is required in case a trial takes place, and a reminder for an insider, so he or she understands, that a responsible attitude to information is a part of company’s culture.
What to do, if an employee is suspected for working on a market rival?
If there is a suspicion that an employee is involved in illegal activities, initiate an investigation in order to find out:
- If he or she wasn’t tricked;
- If the employee acted alone or with the help of accomplices (who may be both insiders and third-party actors);
- If the data was compromised and estimate the amount of damage.
Do you have to fire an employee in case you doubt if he or she has committed an illegal action or even in the case, when the guilt is proved? Each company managers decide themselves. I acknowledge that there are different scenarios. Sometimes a dismissal helps to avoid further escalation of a conflict and a new incident occurrence in the future.
