How to Prevent Data Theft by Employees

The damage that trusted insiders can cause is extraordinary. According to the 2020 Ponemon Institute Cost of Insider Threats report the average cost per insider incident was a staggering $11.5 million in 2020.

Follow these insider data theft prevention tips to protect your company’s sensitive data, misuse, and loss from malicious and negligent insider threats. 

Table of Contents

Data Loss Prevention Tips

1) Prioritize What Data Needs to Be Secured

This tip may sound strange. Surely you want to secure all of your data…right?

That makes perfect sense, but it’s not at all realistic. The data your company possesses is going to be constantly expanding, moving, and changing. There simply isn’t a resource-efficient way to protect everything equally. 

Besides, unnecessarily rigid access controls for non-sensitive data are just going to frustrate your end-users, cause unnecessary negative effects on their productivity, and tempt them to bypass your security controls. 

To help you start prioritizing what data to protect, consider the classes of data your company interacts with.

• Public Data: Data that is intentionally publicly available and does not require access controls, such as details that are shared on your company website
• Internal: Data that isn’t publicly available, but it’s also not likely to be sensitive so limited access controls are necessary to protect it. This includes acceptable use policies, employee handbooks, and internal memos.
• Confidential: Potentially sensitive data that is used internally such as internal pricing documents and contact information. This class of data needs to stay within the company.
• Restricted: Highly sensitive data such as trade secrets, personally identifiable information (PII), and credit card information. If you are in a regulated industry such as healthcare or finance you are likely to have industry-specific regulations for protecting this class of data. Access to restricted data needs to be limited to an as-needed basis, even amongst your team.

From a data theft prevention perspective you can expect that insider threats are going to be the most interested in confidential and restricted data.

Prioritize Data Security With a Risk Matrix

If you’re not certain how to prioritize the data your company interacts with, you can start by referring to a risk matrix. A risk matrix will help you focus your initial efforts as you refine your data loss prevention strategy.

2) Use Encryption On Storage Drives and Individual Files

Encryption protects sensitive data by obfuscating it. The one way to properly view the data is to decrypt it with a decryption key. Encryption can be applied to entire data storage drives (full disk encryption), emails, and specific files. 

The encryption process is reversible, so the original data is still intact. Those who have the matching decryption keys can view the data normally – anyone without the necessary decryption keys will only see the obfuscated data.

Best practices for encryption:

• What to Encrypt: Encrypt sensitive data such as trade secrets, PII such as full names or social security numbers, and credit card data.
• Encrypt Data & Storage: For the greatest security, encrypt individual files AND the devices they’ll be stored in
• Mobile Devices: Ensure that mobile devices such as laptops and cell phones are encrypted to reduce the impacts of loss or theft

Limiting who has access to the decryption keys to an as-needed basis will improve the efficacy of this tip. It will be less effective against insider threats that are trusted with the decryption keys.

3) Limit Data Collection And Retention

The less data that your business has to protect, the better it can allocate its existing resources to protecting what matters. As a best practice you should limit data collection as much as possible and delete any existing data that is no longer relevant to your business.

Periodically culling data that is no longer relevant reduces risk by minimizing the amount of data that would be leaked following a data breach. Retaining data that is no longer relevant to the business may also violate data security/privacy compliance requirements.

4) Limit Access to Sensitive Data

Data access controls are absolutely essential for protecting sensitive data against theft by employees. The classes of data that your Human Resources department requires for their roles will be far different than that of your Finance department. For this reason, you should limit which employees can access sensitive data based on the needs of their role.

• Data Portability: Sensitive data should not be permitted on portable devices such as USB storage devices, mobile phones, and laptops. A removable media policy and USB control software are essential security controls to manage this threat.
• Permission Creep: As roles evolve user accounts may be given additional permissions. Access permissions should be reviewed periodically to ensure that the available permissions are still relevant and necessary. Any permissions that are no longer needed should be restricted until a legitimate need arises.
• Privileged Access Management: Accounts with elevated permissions (such as admin accounts) are particularly high-risk. A PAM solution can restrict the damage that these accounts are capable of by monitoring and limiting the activity of these accounts.

Removable Media
Policy Template

• Set data security standards for portable storage
• Define the acceptable use of removable media
• Inform your users about their security responsibilities

Get started today—Download the FREE template and customize it to fit the needs of your organization.

Get the FREE Template

Need to protect sensitive data from USB portable storage devices? Get started today with a free trial of AccessPatrol, CurrentWare’s USB device control software.

5) Monitor Every Data-Related Action Your Employees Take

You need to keep a careful eye on how your employees are interacting with data. Anomalous behavior could be an indicator of a malicious insider or an account that has been compromised by an external threat. This tip is especially relevant when it comes to employees that are leaving the company or being dismissed. 

• Device Control: Block employees from connecting portable storage devices such as flash drives, cameras, and smartphones to company devices unless it is absolutely necessary for their roles. Use device control software to block USB devices, enforce the exclusive use of authorized USBs, and grant temporary access permissions on an as-needed basis.
• File Operations: Monitor the flow of data by tracking files that are copied, created, renamed, and/or deleted. This is valuable data for investigating the source of a data breach. You can also configure alerts for events that would be considered high-risk in the context of your organization to catch data exfiltration attempts.
• Suspicious Behavior: Watch for anomalous behavior such as unusually large file transfers, attempts to access data that is not typically needed, visiting personal cloud storage websites, or accessing sensitive data at a higher frequency than usual. 

6) Block and Monitor Data Egress Points

Note: The above video showcases a legacy user interface for BrowseReporter. To see the most up-to-date features and interface please visit the BrowseReporter product page

A data egress point is any area that allows data to leave your network. These parts of your network should be carefully monitored and managed to reduce the risk of data loss.

Examples of Data Egress Points:

• Cloud Storage: Unauthorized cloud storage accounts are a common vector for data theft. Malicious insiders simply need to login to their personal online file storage account and upload their desired files. This threat can be mitigated by blocking cloud storage sites with a web filter and monitoring bandwidth consumption for unanticipated spikes.
• File Transfer Protocol: FTP allows users to transfer files over networks such as the internet. To protect against this threat you should block network ports used by FTP. The FTP protocol typically uses port 21, though the receiving client can be configured to use a non-standard port. 
• Email: A common way that data is stolen is by employees attaching sensitive files to emails. Email security risks can be mitigated by blocking access to personal email accounts with a web filter and monitoring email activity with a Secure Email Gateway (SEG). 
• USB Devices: Portable storage devices such as flash drives, cell phones, and cameras are a convenient tool for stealthily transferring files out of the network. Device permissions should be limited to an as-needed basis and carefully monitored for suspicious activity. 

Endpoint Security Tips

7) Block Employees From Using High-Risk Applications

High-risk applications such as peer-to-peer (P2P) file sharing programs, personal instant messaging apps, and cloud storage apps should be blacklisted from your network to prevent files from being sent through them. This can be accomplished using an application blocker.

8) Use a Mobile Device Manager

An MDM provides greater visibility and control over mobile devices such as laptops and smartphones. Should an employee’s device be lost or stolen the data that is stored on the device can be remotely wiped and the device’s location can be tracked.

An MDM can also protect against malicious insiders. If a mobile device has not been returned following an employee’s dismissal or resignation the device can be readily wiped and located to minimize the potential for sensitive data to be retrieved by the ex-employee.

9) Keep Security Patches Up-to-Date

Software and hardware developers regularly release security updates for their products. Be certain to keep operating systems, software, firmware, and other systems up-to-date to protect your endpoints against the latest known threats.

Physical Security Tips for Preventing Data Theft by Employees

10) Protect Sensitive Paper Documents

While the modern workforce is largely digital, there are some industries that rely on paper documents. Paper-based methods may also be reserved as a failsafe in the event that digital means become inaccessible. 

• Limit the Need for Paper: Where possible you should limit the need for sensitive information to be written or printed to a paper format. Digital data collection methods provide greater visibility and control.
• Establish a Shredding Process: Documents that are no longer needed must be disposed of safely. Companies with large-scale paper usage can outsource bulk paper shredding to a trusted third-party service provider.
• Secure Paper Documents: Sensitive printed or written documents must be secured in a designated locked cabinet or similarly secure container.
• Do Not Leave Documents in Printers: As part of employee training you must emphasize the urgency for collecting printed documents. Forgotten documents are a convenient source of sensitive information that insider threats could use.

11) Implement Anti-Theft Measures

Restricting and monitoring physical access to company assets will reduce opportunities for servers, computers, hard drives, and portable storage mediums to be stolen.

Examples of anti-theft measures

• Keep server rooms and confidential waste bins locked
• Install fences, gates, and access cards to restrict unauthorized traffic
• Require the use of security badges to identify employees
• Install surveillance cameras to monitor high-traffic and high-risk areas

Account Security Tips

12) Have Employees Use Strong, Unique Passwords

Reused passwords are an absolute nightmare for data security, yet a shocking 59% of users surveyed in the LastPass Psychology of Passwords Report admit to reusing passwords. 

If a previously used password is made public through a data breach, any accounts that the password was used on are now vulnerable. Using unique passwords for each account limits the amount of damage that can happen when an account is compromised, but it’s tedious to remember hundreds of unique passwords. 

Implementing a secure password manager will ensure that your employee’s passwords are unique and easily accessible. All they will need to remember is a single unique and strong master password that they will use to access the password manager.

How to make a strong master password:

• Make It Unique: Make it entirely unique from any other password used on other accounts. This includes not simply adding a few numbers to the end of an old password. If a previous password is breached, an attacker will build off of that password to try to access other accounts.
• Long & Simple: Think of your master password as more of a passphrase. Use a series of words to create long, simple passwords rather than short and complex ones. These are easier to remember for those that need it and harder for attackers to guess. 

13) Use Multi-Factor Authentication (MFA) on All Accounts

MFA requires users to combine their password with an additional authentication measure such as an SMS, fingerprint scan, authentication app, or a one-time password. This will better protect user accounts should an insider threat attempt to use a coworker’s account in their attack.

14) Separate Business and Personal Assets

Do not allow employees to store or access corporate data using their personal accounts or devices. The amount of monitoring and control that is available for personal devices is limited; a departing employee could accidentally or maliciously retain company data on their devices after their employment has concluded.

15) Limit the Number and Use of Admin Accounts

Privileged accounts such as admin and superuser accounts have fewer (or no) restrictions on what they can do in your network. These accounts need to be closely monitored and controlled to ensure that they are not being abused by insider threats or other bad actors.

Tips for securing privileged accounts

• Do not allow the use of privileged accounts for routine tasks
• Implement greater monitoring and control over privileged accounts
• Limit how many privileged accounts are available
• Delete privileged accounts that are no longer needed
• Monitor all changes to privileged accounts to detect suspicious events

16) Do Not Give Users Control Over Corporate Accounts

Admin-level control of accounts should not be given to individual employees. Instead, applications and services that are needed by your business should be managed by your IT personnel. This helps to ensure that company accounts are adequately secured, backed up, and not lost to disgruntled employees. 

BONUS: Tips for Preventing Data Theft by Employees After a Termination

The employee offboarding process presents significant data security risks. Employees have intimate access to corporate data, insider knowledge of the organization’s systems, and a level of trust that can allow them to steal data undetected.

• 70% of intellectual property theft occurs within the 90 days before an employee’s resignation announcement
• 88% of IT workers have stated that they would take sensitive data with them if they were fired
• 72% of CEOs admit they’ve taken valuable intellectual property (IP) from a former employer
• 50% of respondents in a Symantec survey say they have taken information, and 40% say they will use it in their new jobs

These vulnerabilities need to be addressed as part of any insider threat management program. Click here to learn the best practices for protecting data during a termination and gain access to a downloadable IT offboarding checklist.

Conclusion

It is absolutely critical that your organization is protected against insider data theft. There is no shortage of opportunities for malicious or accidental insiders to steal sensitive company data.

To best prevent data theft by employees you need to control where it will be stored, limit access to an as-needed basis, monitor employees for suspicious activity, and implement a layered security approach that addresses as many potential vulnerabilities as possible.

Get started today with a free trial of CurrentWare’s user activity monitoring and data loss prevention software solutions.