Insider threats: data theft or sabotage committed by an employee threatens the operation of a company

An organisation’s information capital or critical functions may be put at risk by employee activity. This could cause financial and reputational damage, and also be a threat to national security if public authorities or e.g. critical infrastructure companies are affected. Security clearances and background checks can be used to examine the reliability and integrity of both new and current employees.

Employees’ malicious activities against their own organisations are called insider threats. An insider is a current or former employee of an organisation who has access to the employer’s confidential information or to premises with restricted access, and who uses their authorised access in a way that is harmful to the employer. Insider threat incidents come up regularly, but all cases are not reported to the authorities. Sometimes employees may also act unintentionally, i.e. they are not aware of the damage they are causing.

Insider threats may be data thefts, fraud, or sabotage of critical functions such as data systems. They may also involve a foreign intelligence service. Most typically, the stolen data is customer data, product data, and information about business negotiations and cooperation partners.

What makes an organisation vulnerable to data theft?

There may be weaknesses in an organisation’s operation that enable data theft. Common weaknesses include the inability to recognise the organisation’s most critical information requiring protection, the employees’ unrestricted access to information and premises, insufficient log data, inadequate assessment of a job applicant’s background and suitability for the job during the recruitment process, and a lax security culture.

An IT employee of an international company maintaining critical infrastructure got into a dispute with their superiors. The employee was dismissed, but their user access rights and employer devices were not removed immediately. This gave the employee a chance to severely sabotage the functioning of the employer’s data system. The incident caused significant economic and reputational damage to the employer.

A clear threat profile cannot be defined, because insider threat cases differ considerably. However, there are certain underlying motives that are detected often. They are financial gain, ideological reasons, dissatisfaction with one’s work or employer, and problems in private life.

Financial difficulties, such as serious personal indebtedness, may motivate an employee to commit data theft especially in positions where employees have access to financially valuable information. A contradiction between the employee’s own values and the employer’s actions is another typical motive. Often the underlying motives also include disputes at the workplace or dissatisfaction with one’s job. Usually the employee has been working for the organisation for some years before taking action. It is more unusual that someone would seek work in an organisation for the purpose of committing data theft.

An employee of a Finnish company had recurrent problems in the workplace: the employee left assigned tasks unfinished and did not achieve set objectives. The employee quit the job before being dismissed, and started working for a competing company abroad. The Finnish company began to suspect that the employee had stolen critical customer and product data, but the suspicions were never proven.

How can data theft be prevented?

Basic elements of data protection such as data classification and access levels help to prevent insider threats. It is important to limit access to confidential information. Although role-based access control does not alone prevent data theft, it can contribute to reducing the number of potentially malicious insiders.

Security clearances and background checks can be used to examine the reliability and integrity of both new and current employees. For example, checking the applicant’s criminal background helps to assess their suitability for duties requiring reliability and integrity. A background check also helps to assess whether the applicant is giving an honest account of themselves.

The applicant’s expectations about the new job and the workplace community can be influenced in the recruitment stage. Disappointments and disagreements regarding the job can be avoided if, from the beginning, the employee is given a realistic picture of the position’s demands and e.g. opportunities for career advancement.