Almost half (45%) of office employees would be willing to sell corporate information to people outside their organisation, according to new research from Deep Secure that exposes the extent of the insider threat. Just £1,000 would be enough to tempt 25% of employees to give away company information – and 5% would give it away for free.
The ‘What is the Price of Loyalty‘ report reveals how 15% of office workers reported that for £1,000, they would pass on confidential market information about their company or customers’ businesses, details of their firm’s sales pipeline, sensitive information relating to their colleagues, and customer information. One in 10 respondents (10%) would also sell intellectual property, such as product specifications, product code and patents, for £250 or less.
This is not just a hypothetical threat – with 59% of office workers admitting to having taken information off corporate networks. In some instances, this was for personal use, with the potential value to the individual’s future career success a key driver: either because it would be of use in a new role or they wanted to keep a record of their work (both 12% respectively).
However, 47% of those that had taken information from their corporate network admitted it was given to a third-party (rising to 62% among male respondents). Frequently the information was taken from a previous company and given to their new employer or employees (16% and 19%), but 17% were approached by someone they didn’t know.
The findings also reveal that criminals are targeting younger employees: one in five (19%) respondents in graduate-level roles admit that they were paid to source the information, with 29% of 16-24-year-olds reporting they had been approached by someone they didn’t know to take it.
Exfiltration tactics
When exploring how this information is being taken, some individuals report using traditional techniques to take information from corporate networks, including printing, handwriting and taking a photo of the information (11%, 9% and 8% respectively).
However, digital techniques are more commonly used with 11% of respondents reporting having sent the information to the third-party by email, directly uploading it into their personal cloud storage, or given it them on an external storage device.
Eight per cent also reported using cyber tools to hide and exfiltrate company information (such as steganography or encryption). This was not only prevalent in the IT & Telecoms industry (13% of respondents), but the HR and finance industry also reported comparable use of cyber tools (15% and 12% respectively).
The use of cyber tools to steal company information has been democratised by the availability of toolkits on the dark web. For example, steganography toolkits, which enable cybercriminals to encode information into an image or text, can be downloaded for free and guarantee an undetectable route for getting information out of the company network.
Commenting on the findings, Dan Turner, CEO of Deep Secure said:
“The cost of employee loyalty is staggeringly low. With nearly half of all office workers admitting that they would sell their company and clients’ most sensitive and valuable information, the business risk is not only undisputable but immense in the age of GDPR and where customers no longer tolerate data breaches. And it appears to be growing, with the 2018 Verizon DBIR showing that insiders were complicit in 28% of breaches in 2017, up from 25% in 2016.
“Given the prevalent use of digital and cyber tactics to exfiltrate this information, it’s critical that businesses invest in a security posture that will help them both detect and prevent company information from leaving the network,” he continued.
A mixture of detection and prevention technologies is needed to truly mitigate the risk of malicious insiders using digital and cyber tactics to exfiltrate information. Prevention technologies, like Content Threat Removal, are capable of removing 100% of information hidden in images using steganography, no matter whether it’s emailed or uploaded to cloud storage. This frustrates cybercriminals’ efforts when using more sophisticated methods, like steganography. In turn, this forces cybercriminals to send the information out in plain sight, which immediately increases an organisation’s chance of their Data Loss Prevention solution identifying the exfiltration and the culprit.