Securing Data from the Malicious Insider

Lindsay Gill.jpg


Lindsay Gill, CFE, Director of Forensic Technology
Forensic Strategic Solutions Inc. 

A key salesman left a manufacturing company, purportedly to work in sales in another industry. Under normal circumstances a company would be disappointed to lose a key salesman. However, in this instance, while productive, the salesman was a troublemaker and a constant source of negativity.  Shortly after this salesman left the president and CEO of the company received a call from one of his top customers. The customer had just received a call from the company’s No. 1 competitor; this competitor was able to tell the customer the details of his latest order with the president’s company. The president and customer alike were concerned about how confidential company information was available to a competitor. After much reassurance to the customer, the president was able to save the order.

The president then engaged our firm to perform digital forensics and get to the bottom of things. We imaged the hard drives of the sales department. Upon analysis of the former salesman’s computer we found that immediately prior to leaving, the salesman had saved the companies detailed customer list to a USB drive. We also found frequent emails to his personal email address (webmail account) that included attachments containing order histories for key customers. Additionally, we analyzed the email exchange server and found emails between the former salesman and current sales staff. The email address being used by the former salesman was with the competitor in question. While the emails were innocent chit chat it revealed that the former salesman had not been truthful about his new place of employment, a fact which violated a non-compete agreement. Investigation of the corporate phone system indicated frequent calls from the former salesman’s cell phone to the current sales staff. We found that the current sales staff was relaying information to the former salesman during these “innocent” calls catching up on their day to day activity.

Situations like this occur more frequently than business owners would like to think. So what are some of the key signs employers should look for to help identify the malicious insider?

  • Employees who have a grudge against the company or are constantly talking about changing jobs
  • Increased rule-breaking or misbehavior
    • Physical altercations
    • Breaking dress code
    • Suspicious behavior
    • Signs of extreme stress

In addition to paying attention to how your employees are behaving, you need to implement monitoring technology to pinpoint the following:

  • Increased or unusual patterns in network/workplace access
  • Log reports of attempted unauthorized access
  • Large data transfers during nonbusiness hours
  • Frequent emails to outsiders with attachments
  • Excessive file downloads

As always, educating employees about the importance of security is always the first step in protecting company information. Annual renewals of non-disclosure agreements and employee education are key to protecting your company from the malicious insider and creating a culture of security.