Request a Proposal

Tales from the inside: how employees got busted trying to take the goods

Is your co-worker pulling off cyber info heists at the desk right next you? 

She was a technical writer for a company, and put in long hours. The problem is, this was secret overtime, and the work she was doing was stealing secrets from company files.

Security investigators say they uncovered her moonlighting project by looking at patterns—when employees usually work, what kind of files—and how many—they usually access, according to Imperva’s March Hacker Intelligence Initiative Report, released today.

This worker suddenly started copying files, and a lot of them, mostly in the middle of the night and weekends—100,000 files in all, according to the report. Neither she nor anyone else in her department normally copied this number of files.

Was she doing a special project, or simply trying to get ahead? Yes to both, investigators discovered—she was about to leave the company with her nest egg of pilfered intellectual property, the report said.

“The greatest threat to enterprise security is the people already on the payroll,” Morgan Gerhart with Imperva told Archer News.

Insider threats

The insider threats are not just people out to do bad things, the report said, but also curious or careless employees who may accidentally open up a security gap. 

It may not be intentional—who knew that e-mail from your cousin telling you to “watch this video” was really a link to malware that stole your username and password? 

The report also notes a situation where an employee was accidentally backing up company data onto his personal cloud service.

“While the user’s intentions may have been pure, this practice obviously puts corporate data at risk,” the report said.

On purpose

The investigators also found situations where employees up to no good.

A clue that gave some of them away? Trying—unsuccessfully—to login to something that they didn’t normally access.

“Why?” you might ask. After all, you have mistyped or forgotten your password many times.

“However, when a user fails to login to a database several times without success and never tries again, or when a user tries to access several databases in the organization without success, it is suspicious and may indicate that the user is not authorized to access the application,” the report said.

In one case, a user tried 11 times to get into a database he had never used before, using four different account names.

In another case, a person from the IT department tried to login to an application that would allow him to see sensitive financial information. He tried three times, then stopped trying, the report said. Other users of the application never messed up the login process.

Deeper investigation showed the IT person was not allowed to have access to that special application, and the employee was ultimately let go.

Other digital clues include the time it takes for a file to download. One worker was downloading 1,500 files, but instead of the usual one second per download, it took 14 seconds per download. The report concluded this was a sign the worker could be channeling the info to an outside computer.

“Insiders aren’t launching ‘hacker attacks,’ but are simply taking advantage of the inherent trust given to them in order to steal valuable data,” Gerhart said.

Harder to detect

Fences, locked doors, passwords, antivirus—all part of security systems designed to keep outsiders out. But inside jobs are more difficult to uncover.

“Many tools used to detect and deter illicit computer intrusion are deployed at the perimeter and have a trusted side where insiders already have access,” said cybersecurity professional Mike Carr.

“Since insiders have legitimate access to systems, they are generally much harder to detect,” he said. “In many cases, systems meant to detect tampering or hacking are simply configured to not activate for insiders.”

The damage can be serious, from financial losses, to the collapse of a company, or beyond.

“Even worse, in the case of SCADA/ICS [supervisory control and data acquisition/industrial control systems, used to run factories, power plants and more], the health and safety of the public could be adversely impacted,” he said.

Inside the mind of the insider

Cybersecurity experts say some employees will push the boundaries.

“Simply put, users will find ways to do the job as easily as possible,” said Dave Foose with Emerson Process Control. 

Other employees may be curious and take advantage of granted, trusted access to data.

“In layman’s terms, you may have given access to your users and they looked at things you didn’t know they could see,” Foose said. “This is definitely not news to anyone that has spent more than a couple weeks doing network administration for any environment.”

Some cases turn out to be severe, but many are not.

“In most cases, it is the stray person checking out salary plans or reading the boss’s emails,” he added.

Keeping up with insiders

Take steps to protect the company and workers, recommended Patrick Coyle with Chemical Facility Security News.

“The first is security training for employees to help them understand what measures should be taken to protect both network access and critical information,” Coyle said. “This training should drastically reduce the risk from the ‘careless and negligent employees.’”

Identify the critical info that is most important to the business, he said. Restrict access to it, and monitor it closely.

“While all data should be protected, the most important information demands the most complete, redundant, and carefully watched protections,” Coyle said.

Detecting an intrusion from inside and out

Review who has access to what when someone changes jobs, recommended Foose.

“Then, you need to do frequent review of your network to find unknown or rogue devices that might be allowing access to various software or networks,” he added.

Imperva investigators also used “deception tokens,” fake info planted in the system, to see if a bad guy was trying to access accounts.

“Their ‘deception tokens” sound a lot like honeypots or ‘honey records,’” said Monta Elkins with FoxGuard Solutions. “These can have a great value as canaries and indicators of compromise.”

“For example, seeding password databases with unused accounts associated with an alarm for attempted access can be effective,” he added. “The same for other database records, files, or honeypot devices. Access to these are often high value indicators of something amiss.”

Someone trying to use a fake username and password to get into a company account would likely mean that a hacker had invaded the system and was doing recon or on the attack.

Keeping insiders out

The Imperva report concludes that companies need new technology that helps them analyze behavior patterns.

“Most information security solutions that companies invest in are focused on keeping cybercriminals out, but they don’t focus on someone already inside the company,” said Gerhart.

Technology may not be enough, some say.

“The concept of ‘hunting’ on your network requires highly skilled security personnel, almost by definition, because the automated tools have made all the easy catches,” said Elkins. “Another box with blinky lights isn’t the primary solution.”


Outsiders trying to get in, insiders getting in even further, digital clues that might easily go unseen. The odds may seem stacked in the favor of bad behavior.

“What you don’t want is to give up completely and never do any level of access control or monitoring under the banner of defeated apathy,” Foose said.

“Isn’t that how Snowden suddenly became a international fugitive and ‘thought leader’?” he asked. “Open access to documents that people didn’t properly secure or think to secure from perusal or theft.”

There is some good news.

“That being said, one good aspect to take away is that most issues or threats to your environment are not malicious but misuse,” Foose said. “There are definitely more ‘oops!’ than APTs [advanced persistent threats, or long-term hacking attacks] that need remediated.”