“It’s my data and I’ll do what I want with it!” - how to stop employees deliberately causing data breaches

In the third of a series exploring the psychology behind insider data breaches, Egress CEO Tony Pepper looks at the employees who are intentionally malicious in their attitude to company data. If you missed them, click for the first and second instalments.

When we think of insider data breach threats, it's the intentionally malicious insider that often springs to mind. These stories grab the headlines when employees' nefarious activities come to light, whether they have leaked corporate secrets to competitors or sold stolen data to the highest bidder for personal gain. These incidents often have elements of drama to them, and can be treated as “interest” pieces. But not all malicious insiders have such headline-grabbing ambitions. Many are caused by individuals trying to advance their own careers and believe they are entitled to use the data they've worked on to achieve their personal goals.

Malicious insider data breaches are costly. The Ponemon Institute's 2020 Cost of Insider Threats Global Report found that criminal and malicious insiders cost the surveyed organisations an average of $755,760 per incident, totalling $4.08 million over a typical year.

But tackling the threat from malicious insiders is difficult for CISOs. Naturally, company employees have legitimate access to data so there is a large element of trust involved, but security strategy cannot be based on trust alone. It is hard to evaluate employee trustworthiness, which can change over time due to work or personal circumstances. Add to this the ease with which employees can share data via email and file-sharing platforms, and it is easy to see how quickly data can be compromised.

To understand how to manage individuals who are susceptible to becoming a malicious insider breach risk, CISOs need insight into their motivations and behavioural patterns, and the factors that allow them to flourish. 

What makes a malicious insider? 

We have identified two typical personas that are at risk of committing malicious insider breaches and the common motivations behind their actions. These aren't dyed-in-the-wool criminals who set out to steal from the start, but instead the more commonly seen characters whose intentionally malicious actions arise from circumstance.

The first is nicknamed ‘Agitated Alan'. This employee sees himself as hard-working and willing to go the extra mile for the company – up to a point. They like to feel recognised and duly compensated for the effort he puts in; and risk emerges when they feel that their contribution has been overlooked. Agitated Alans may have been passed over for promotion, been “unfairly” disciplined for some actions, or even feel their part in a project has been overlooked. The feeling of resentment and stress triggered by this situation makes this employee susceptible to “revenge” activity, such as leaking data to competitors. 

This persona recognises that what they are doing is wrong, but they have decided that their loyalty no longer lies with the organisation. Evidence from our 2020 Insider Breach Survey suggests that revenge against the company is a factor in 1 in 10 intentional data breaches.

A different scenario features the persona that we've dubbed ‘Sneaky Sara'. In this scenario, self-interest is the dominant characteristic. Highly career-oriented, Sara changes roles regularly to bring her experience to new companies. However, she also tends to bring data from her former employer with her, in the form of contact records and project information. 

In contrast to Agitated Alan, Sara may feel that she is not really doing anything wrong. She believes, in common with 41% of those we surveyed in our Insider Breach Research, that the company doesn't have any ownership at all over company data. This attitude can lead to exfiltration of the data that the employee has worked on in the belief that it belongs to them. 

Our research also found that taking data to a new role was the primary motivation for 46% of employees who had intentionally removed company data. The more senior the employee, the greater the risk, with 68% of directors saying this was the reason they had intentionally removed company data.